This Case Study introduces students to privacy issues in the transatlantic context. FinTech companies have access to sensitive data of their customers, and thus have to navigate an increasingly challenging landscape of data protection laws. Because data can cross borders very easily, there are often conflicts between data protection and data access laws of different countries. Such conflicts frequently arise between the U.S., which is home to many of the world’s largest internet companies, and the EU, which has a reputation for particularly rigorous privacy regulations.
The Case Study is about one specific example of such conflict, a controversial piece of recent U.S. legislation: the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). An overarching theme of the Case Study is how privacy questions (i.e., under which circumstances should there be government access to certain data?) relate to the problem of sovereignty (i.e., which country should have the final say about such access?).
All students should be expected to have a good understanding of the CLOUD Act. The Annex provides students with some initial background, and many of the Appendices dealing with the CLOUD Act also include a descriptive component. Students should also have a basic appreciation of the European approach to transatlantic privacy and how it contrasts with the American approach.
The Case Study also touches on a number of more “law and technology” type questions in connection with the CLOUD Act, including data storage models and encryption-related questions. These issues were included in the case study because they demonstrate that the practical design of cloud storage operations may well have an impact on law enforcement’s ability to access the data. Even if the legal conflicts with the GDPR were sorted out, access would by no means be guaranteed in all cases. However, since an analysis of these questions is not strictly necessary to get a basic sense of the transatlantic conflicts that the CLOUD Act exposes, the instructor may also choose to exclude some or all of the technology-related questions from the assignment. Such exclusion might be especially advisable if class time is limited, or if the participants did not have prior exposure to privacy and EU law. The cover memo indicates through footnotes that the students should check with their supervisor if another team within the department is already working on these issues. If the issues are included in the assignment, students might be encountering these kinds of law-and-technology questions for the first time and should therefore not be expected to present a very detailed analysis; it generally suffices that they correctly summarize the literature on the respective issues. The more sophisticated and tech-savvy students may, of course, delve deeper into the nuances of these issues, but there should not be any pressure to do so.
The appendices include material that provides a general introduction to the CLOUD Act and transatlantic data privacy issues, as well as more specific material dealing with the individual issues to be discussed by the stakeholder groups. While the number of appendices may seem overwhelming, it should be noted that many documents are short blog posts or press statements that run only one or a few pages in length. For longer articles, there is generally only a small fraction of the article assigned. The net amount of readings for the whole Case Study ranges approximately between 300 and 350 pages (depending on how one counts cover pages, abstracts and tables of content).