1. Why should we care?
The basic rule under the GDPR, like the data protection directive before it, is that international transfers of personal data from the EU (now we should say the EU/EEA/UK) are prohibited. Various exceptions to this are permitted, i.e.:
a) an adequacy decision from the EU Commission, which indicates that the legal framework covering a country, a territory, certain sectors within a territory or an international organisation, ensures an adequate level of protection so that EU personal data can be exported there;
b) other appropriate safeguards which may include binding corporate rules, contractual clauses adopted by the EU Commission or national Supervisory Authorities, or other ad hoc contracts, or future certifications and codes of conduct;
c) individual cases such as individual explicit consent, necessity for conclusion of a contract etc.
So, for personal data exports outside the EU, we need one of the above.
2. How did we get here?
US laws have always been considered less protective of individuals than EU privacy rules (including the Charter of Fundamental Rights). However, in an effort to provide an easy route for transatlantic data flows, in the year 2000 the EU Commission approved a “Safe Harbor” framework agreed by EU and U.S. authorities which allowed exports from the EU/EEA to participating organisations in the USA without further authorisation being necessary.
In 2015, the EU Court found that the EU Commission decision to approve the Safe Harbor as giving adequate protection to personal data was illegal (in a case known as the ‘Schrems’ case after Max Schrems, a regular complainant against data processing and export practices in particular by Facebook). By early 2016, however, the EU and US authorities created the EU-U.S. Privacy Shield framework, which sought to solve the issues raised by the court.
The Privacy Shield framework and the EU Commission’s standard contractual clauses (SCCs) were challenged in an Irish court as not providing sufficient protections for data exports to the USA, with this case being more or less affectionately referred to as ‘Schrems II’.
3. What did the court decide?
a) The Standard Contractual Clauses
The Court found that there was no fundamental problem with the Standard Contractual Clauses. Even though, as a contract, they don’t bind public authorities, the question is whether there are effective mechanisms to ensure similar levels of protection as under EU laws and if not whether transfers can be suspended. The Court held that this is so: the data exporter in the EU (and the US data importer) must verify, before making a transfer, whether the levels of protection in the destination country are sufficient (and the US data importer must indicate if this is not so). If not then data transfers should be suspended or the contract terminated. Tellingly, in addition, a supervisory authority should also suspend transfers where EU standards will or cannot be met (of which more later).
b) The Privacy Shield
In contrast, the Court noted that the EU Commission’s Privacy Shield decision itself acknowledged that US requirements of national security, public interest and law enforcement have primacy over the requirements of the framework. In addition, access to and use of data by US public authorities are not limited by law as they are in the EU, and in particular do not give non-US persons rights of action against US authorities. The Privacy Shield had sought to overcome this with an Ombudsperson mechanism, but the Court found that this did meet sufficient requirements of independence and ability to bind the US intelligence services. So the EU Commission’s Privacy Shield decision was found to be invalid.
4. What do we need to do?
We now cannot rely solely on the Privacy Shield for data exports from the EU/EEA/UK to the USA (note that the Swiss-U.S. Privacy Shield framework is unaffected). It’s possible that the SCCs are also not sufficient on their own as they also don’t overcome the issue of access to data by US public authorities. By extension, SCCs may also be ineffective to permit data exports to other territories where local laws can override the personal data protections that the SCCs seek to create.
Right now we can take the following steps:
- List all our international data transfers – to the US and elsewhere (for customer/user data, HR data, CRM data etc.). Also include onward transfers from the USA to third party service providers / data processors;
- Check and indicate which mechanisms are currently used in each case (Privacy Shield, SCCs, binding corporate rules, other adequacy decision);
- If Privacy Shield is the only mechanism or one of the mechanisms used, engage with the exporter or importer to consider solutions (which may mean signing SCCs or even moving to servers in the EU where this is an option). We should also consider enhancing the SCCs with additional provisions (e.g. pseudonymization, anonymization, short retention periods) which may limit access by US authorities;
- Look out for guidance from EU supervisory authorities. Most have said they are investigating, but some in particular in Germany and the Netherlands, have already indicated that SCCs alone are not sufficient.
5. What happens next?
Eden Legal’s best guess on the future would be the following:
1. Edgy business-as-usual
Unless we use binding corporate rules for intra-group transfers, for EU/EEA/UK to US transfers the SCCs are really all we currently have. So we can sign them, maybe with some additional protections, and wait. One by one, however, EU supervisory authorities (or even the European Data Protection Board – UPDATE 28-07-2020 – the EDPB issued FAQs stressing that the Court’s assessment of US laws was that they do not ensure an equivalent level of protection) may rule them out for the USA or other territories (for example, in the Schrems II case, the Irish court and data protection commissioner still need to take the EU Court judgment and translate into a decision). So, while this may keep data flows going for now, it may not last long.
2. “The SCCs are dead”
This is a distinct possibility, at least for transfers to the USA. Just to keep things interesting the EU Commission has been working on new SCCs (kept back until now to be able to take account of this judgment) which may be helpful. National Supervisory Authorities could also adopt their own. The GDPR also foresees that codes of conduct or certification schemes might in future provide appropriate safeguards.
Given the EU court’s emphasis on the data exporter to assess the legal position in the destination country, do we need to add “international transfer assessments” to our data protection compliance toolkit? Eden Legal believes only the largest data exporters can realistically do this for each transfer. Can we rely on public or contractual assurances by US data importers that transfers can continue (e.g. those from Microsoft)?
This may mean there is no safe, practical way of exporting personal data to the USA. So European data controllers may increasingly choose European-based data solutions, and US data processors may need to accommodate them.
On top of all this, we have Brexit: these considerations, and prior assessments, will need be applied for transfers to the UK, as a third country, which has already had legal issues over the compatibility of UK data interception laws and practices with EU law.
3. Third time lucky
We’re told that transatlantic data flows underpin trade worth USD 7.1 trillion. So the EU and US authorities are very likely to try to agree a new framework to facilitate this business. However, this might require changes to US domestic law and constitutional rights, which is not simple and could depend on which administration is in charge at the time.
So we may end up with new SCCs and a new EU-U.S. Privacy framework. But given the uncertainty and propensity for litigation in this area, businesses and their info-sec advisors may prefer to become stricter on keeping European data in Europe. Schrems III, ca. 2025, anyone?