Schrems II – Invalidation of the US-EU Privacy Shield

It’s hard to believe that it’s been almost five years since the Court of Justice of the European Union (“CJEU”) decided Schrems I, invalidating the safe harbor provisions for transfer of personal data of European nationals to the United States. The safe harbor provisions were a set of data privacy principles US companies would agree to follow in order to receive personal data of EU and Swiss persons. That decision required a lot of technology agreements to be modified so they did not rely on the safe harbor provisions.

One of the reasons the safe harbor provisions were struck down was because they did not bind the US government. While US companies may agree to follow the principles, that would not stop the US government from collecting data in ways that, while legal in the US, may not be in the EU.

After Schrems I, the US and EU entered into negotiations on a new set of privacy principles that would be implemented by the US government. One result was the passage of the Judicial Redress Act that gave non-US nationals the right to sue in US courts for privacy violations, including violations by the federal government of the Privacy Act of 1974.

On July 16, 2020, the CJEU issued another opinion in the case brought by Max Schrems. In this latest opinion, the CJEU has invalidated the US-EU Privacy Shield. The Privacy Shield, while providing EU and Swiss persons with protections like those of US nationals, was found invalid because US domestic law permits the government to carry out surveillance activities that the CJEU believes are not permitted in the EU.

The decision may have impacts well beyond data transfers from the EU to the US. The rationale of the opinion would likely apply to transfers of data to countries with similar or less protective surveillance laws. If agreements with other countries, such as China, are allowed to continue, the US would have a good basis to claim that the invalidation of Privacy Shield is discriminatory and that the EU is in violation of its obligations as a WTO member.

Parties, however, remain able to utilize the Standard Contractual Clauses adopted by the European Commission. In fact, the CJEU specifically upheld the Commission Decision establishing these clauses. In doing so, though, the court stressed that the inclusion of the clauses is not enough. Companies in the US and the EU will need to implement policies and procedures to monitor compliance with, and effect enforcement of, the clauses.

Garmin’s Ransomeware Hack

I’m a runner and Garmin user. My current watch is a ForeRunner 645M. I love their devices and services. I first noticed that Garmin was having technical issues when a run wouldn’t sync with the app on my phone and their Garmin Connect website. I soon saw a number of tweets about the outage.

After a day or so, I saw speculation about a ransomware attack, and that Garmin was refusing to pay. Unfortunately, it appears the bad guys may have gotten their payday. This was a bad situation that could have been much worse. Thankfully, it appears only Garmin’s commercial fitness business was compromised. That at least shows they are compartmentalizing the affected systems from their military, aviation, and marine products.

As the situation dragged on, more users were noticing, and after a couple of days many were complaining on social media, especially Twitter. However, I was surprised to see a number of users cheering on Garmin. These users were under the impression that Garmin was refusing to pay the ransom and, instead, was rebuilding the affected databases. Many users seemed to prefer a prolonged outage to rewarding the hackers.

Unfortunately, it has been reported that Garmin paid the ransom. While this has gotten Garmin’s services up and running and without a loss of customer data, it rewards the hackers. From a public relations view of how these situations are handled, this episode certainly makes it appear that the best course of action is to avoid paying ransoms, even if it leads to downtime.

Of course, it isn’t as simple as not paying. Service providers need to have back up systems that are secured separately, updated frequently to minimize data loss, and the means to quickly move that back up data into production systems. Depending on the hack, that can be extremely difficult, and it will almost always be costly.

There are other wrinkles in the story that make this hack troubling. In particular, it looks like the hackers may already be subject to sanctions imposed by the U.S. government. That could put Garmin, or it’s third-party contractor, Arete IR, that validated the decryption keys and paid the ransom, in violation of those sanctions. It also highlights the odd incentives creates for companies like Arete IR.

These companies provide a service in the event of a ransomware hack. While that puts them in a position of benefiting from these crimes, that doesn’t bother me too much. Someone has to serve as a mutually trusted go-between. What did get my attention was the white paper Arete IR published the day after the attack started. The ransomeware was identified as WastedLocker, which some have tied to Evil Corp, a Russian group that has been under U.S. sanctions. The brief paper attempts to throw cold water on the connection, but does not do so convincingly. It read like a defensive piece written quickly to allow Arete IR and Garmin to claim they had a good faith belief that whoever was attacking Garmin with WastedLocker was not the sanctioned entity.