Acxiom is one of those American companies that probably knows a lot about you, even if you’ve never heard of it.
The firm is a database marketing company, also known as a data broker—it builds “anonymized” profiles of people and sells them to advertisers, so they can better target their ads.
As such, Acxiom is of intense interest to Europe’s privacy regulators—privacy campaigners in the U.K. filed a complaint in late 2018, alleging that it was breaking the bloc’s tough General Data Protection Regulation (GDPR) by exploiting people’s personal data without their consent.
The company is also one of many to feel the impact of the recent “Schrems II” ruling by the EU’s top court, the Court of Justice. Citing insufficient privacy protections in the U.S, that decision instantly killed the Privacy Shield data-sharing agreement between the U.S. and the EU, while also casting into doubt the viability of another legal mechanism called standard contractual clauses (SCCs), which is widely used by companies from Facebook to Google as a basis for transferring Europeans’ data to U.S. servers.
Fortune had a chat this week with Acxiom’s Jordan Abbott, to discuss the firm’s take on that ruling and EU privacy regulation in general. Abbott has an interesting job title—chief data ethics officer.
Here’s a transcript of that conversation, lightly edited for clarity.
Fortune: What are the implications for businesses of the Schrems II decision?
Abbott: It is Groundhog Day all over again. We went through this with [Privacy Shield predecessor] Safe Harbor in 2015. When Privacy Shield was announced in 2016, my colleagues and I were skeptical about its long-term prospects. We believed at the time that it had the same sort of infirmities that plagued Safe Harbor. And, indeed, I made a prediction that at some point Privacy Shield would be challenged for many of the same reasons that Safe Harbor was challenged.
The immediate impact on businesses as a result of [the ruling] is that companies that were relying on Privacy Shield for data transfers from the EU to the U.S. now have to rely on an alternate mechanism of transfer, such as standard contractual clauses. Most companies don’t have binding corporate rules [or BCRs; a far more expensive, time-consuming legal mechanism for data transfers within multinationals] that have been approved by data protection authorities.
Fortunately for Acxiom, many of our agreements—if not most—had a belt-and-suspenders approach to data transfers, saying that in the event Privacy Shield is invalidated, transfers would rely on standard contractual clauses.
Even then, companies like Acxiom have to do an assessment to determine whether U.S. [legal protections for] transfers of data are essentially equivalent [to EU protections] to protect European citizens and, if there are issues, what sort of supplementary measures can be put in place to create essentially equivalent adequacy—things like encryption. For us, in addition to reviewing our agreements with our clients and our partners, we’re also doubling down on the necessity of data transfers, and data minimization.
So you are now relying on standard contractual clauses as the legal basis for your EU-to-U.S. transfers?
For data transfers from the U.K. to the U.S., the U.K. Information Commissioner’s Office and the U.S. Department of Commerce both said, “Keep doing what you’re doing for the time being,” while they study the decision more.
But for data transfers from the European Economic Area, we got additional guidance from the European Data Protection Board [the umbrella body for the EU’s privacy regulators] last week and it indicated that SCCs are valid, provided a case-by-case assessment is done with respect to the data importation. We’re building our assessments to do so right now.
There are two schools of thought about the Schrems II ruling as regards SCCs: one says no SCCs for data transfers to the U.S. will stand up now, because of U.S. surveillance practices; the other says this will only affect companies, such as Google and Facebook, that fall under Section 702 of the Foreign Intelligence Surveillance Act (FISA). What’s your take on this, and can Acxiom accurately tell an EU data protection authority or the European Data Protection Board that U.S. intelligence is not snooping on its data?
Acxiom’s current point of view is it’s a little bit of both, that companies will not be able to contract their way out of this issue. It is going to have to be solved by the governments of the affected countries, in this case the U.S. and EU—and to a certain extent, after the Brexit transition, the U.K.
But transfers to other countries could be impacted too. For those, they will need to address [the issue] on a political and government level.
I think for companies that use cloud providers, it would be difficult for them to say that they are not potentially subject to a Section 702 FISA program. But I do believe companies like Acxiom, that principally deal in demographic and lifestyle information that is used for marketing purposes…my hope and expectation is it is a lower area of risk.
Since Acxiom is not an Internet service provider or telecommunications company, we are not on the front lines of the Section 702 surveillance issue. To my knowledge, we haven’t been contacted by the U.S. government about data on EU citizens, at least not since Privacy Shield. The types of data we collect are a separate category that, I think, may be of less interest.
One other note: although we collect demographic and lifestyle information, we use best practices to safeguard the security and confidentiality of the data. Among other things, we are performing an assessment to confirm that our data transfers are encrypted—not just sensitive or special categories of data. Similarly, we are reviewing our data flows to confirm data minimization and that we are limiting what we share to only what is necessary for our clients, while maintaining appropriate transparency, access and control for individuals to review and correct their data.
Some have suggested that a way around the Schrems II ruling is to keep European data in the EU, rather than sending it to the U.S. Is this data-localization approach viable, or a red herring?
All options are being considered at this moment, including data localization or setting up data centers within the EU. However, we fundamentally believe the free flow of information between the EU and the U.S. is critical for both our economies, and indeed the world economy.
To the extent that a U.S. Acxiom associate has access to an EU data center to view data, then data localization would potentially be undermined. We think a better approach is a government solution that adequately protects European citizens while allowing for data transfers to places that facilitate efficient processing and data management.
Do you foresee a Big Tech lobbying push on this front in the U.S.?
I do believe there will be a big push by industry, including Big Tech companies, to advocate for a national privacy law in the U.S. And indeed that has been happening over the last year or so.
Certainly with the passage of the California Consumer Privacy Act, it underscores the need for a uniform and predictable approach in the United States that is also interoperable with other countries and other geographies and regions such as the EU.
I also believe that industry is supportive of granting European citizens essentially equivalent rights to those that are afforded to U.S. citizens. The problem that has to be overcome is constitutional and legal.
It deals with a principle called “standing”—the ability for a person to bring a case in court. The U.S. has to figure out a way to solve that problem and allow citizens outside the U.S. to bring claims to redress harm.
Given how the Court of Justice killed Privacy Shield and Safe Harbor for similar reasons, is there any point to the U.S. and EU trying to come up with a third version, while U.S. privacy law remains essentially inadequate?
It’s worthwhile to study the Court of Justice’s decision closely and see if a Privacy Shield 2.0 or Safe Harbor 3.0 is viable. Certainly, the court ruled that the Ombudsman [an office established under Privacy Shield to hear Europeans’ complaints about their data’s treatment in the U.S.] was not sufficiently independent, so perhaps a tribunal that is set up specifically for European citizens could be considered.
And that might be something that is worthwhile, because, back to the central issue, Acxiom and companies like us want to weed out the irresponsible behavior. We want to drive ethical and responsible behavior. We want to handle data in a fair and transparent manner. We think anything the governments can do to facilitate good behavior, while weeding out bad behavior, should be pursued.
But is a third agreement possible or not?
I think it’s worthwhile to at least look at it, study the Schrems II decision, see if there is opportunity to create a sustainable replacement to Privacy Shield, recognizing that the European courts may be skeptical about the chances for success.
I believe trust plays a vital role in building relationships and is essential to doing business in a data-driven economy. Things like SCCs, BCRs, supplementary measures—those all add to building trust and accountability, which is clearly important to European citizen and European data protection authorities.
Acxiom and companies like us want to do what we can to enhance trust and accountability.
Where do things stand with the EU investigation into data brokers and the GDPR?
Before Privacy International filed their complaint, the U.K. Information Commissioner’s Office had announced it was going to conduct an assessment of the Acxiom U.K. office in January 2019. We fully cooperated with that assessment. We believe the Privacy International complaint lacked merit and we have been in conversations with the ICO since.
We do not anticipate any sort of enforcement action and we have implemented some of the recommendations that [the ICO] have made to date, and we’re working with the ICO on the remaining issues. We’re hopeful that the matter will be resolved in due course.
