Privacy Shield Has Been Invalidated! Now What?
By James McKenzie
Thursday, the Court of Justice of the European Union (CJEU) invalidated its prior decision (Decision 2016/1250) on the adequacy of the protection provided by the EU-U.S. Data Protection Shield. The decision means thousands of U.S. companies that rely on Privacy Shield to transfer personal information from the European Union to the U.S. need to find a different mechanism for that transfer.
Following Edward Snowden’s 2013 disclosures concerning the surveillance activities of the United States intelligence services (in particular the National Security Agency), an Austrian college student, Max Schrems, launched a compliant with the Irish supervisory authority seeking to prohibit Facebook from transferring his data to the U.S. In his complaint, Schrems alleged that the U.S. does not offer sufficient protections against public authorities’ access to data transferred to the U.S.
Schrem’s initial complaint was rejected, but in October of 2015, the CJEU declared that the Safe Harbor principles, the original transfer mechanism put in place to allow transatlantic data transfers, was invalid (Schrems I). Following that decision, the EU and U.S. agreed to the Privacy Shield framework which strengthened data protections and replaced Safe Harbor.
Following the Schrems I decision, Max Schrems amended and refiled his complaint to the Irish supervisory authorities asserting, again, that the United States does not offer sufficient protection of data transferred to that country. In what’s known as Shrems II, he sought to suspend or prohibit Facebook from future transfers of his personal data from the EU to the United States under standard data protection clauses set out by the CJEU in its Schrems I decision (decision 2010/87).
This brings us to today, and the significance of the CJEU’s ruling.
On July 17, the CJEU invalidated its prior decision (Decision 2016/1250) thereby invalidating the EU-U.S. Privacy Shield. Specifically, the CJEU found that “the Ombudsperson mechanism referred to in that decision does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services. On all those grounds, the Court declares Decision 2016/1250 invalid.”
In addition, the CJEU determined that transfers pursuant to standard contractual clauses (SCCs) require a re-examination to determine if all obligations are being met, including as regards public authorities’ access to the data in that third country and the relevant aspects of the legal system of that third country. If the standard data protection clauses are not or cannot be complied with in that country and the recipient cannot ensure the protection of the data according to EU standards, the transfer must be suspended or prohibited.
More than 5,000 Companies Directly Impacted. Today’s decision essentially invalidates data transfers of the more than 5,300 companies that are currently certified under the EU-U.S. Privacy Shield Framework. This number does not take into account those companies who use or rely on Privacy Shield-certified companies to process data. Those companies will have additional work to do as they now must review and update their vendor contracts. However, as mentioned below, the Department of Commerce will continue to enforce Privacy Shield requirements and process Privacy Shield certification and re-certification applications. Additionally, companies that have already paid for Privacy Shield services and certifications (some in the $1,000 - $10,000) will now have to pivot and likely pay to implement either standard contractual clauses or binding corporate rules, both of which can be expensive and time consuming (e.g., BCR approval times have taken as long as, if not longer than, 6 months).
But that’s not all. Companies that rely on SCCs to transfer personal data out of Europe are affected as well — not just in the U.S., but globally. These companies will need to assess whether they can provide necessary protections for European data to alleviate the concerns raised by the court. As the CJEU has already found U.S. protections insufficient, U.S. companies need to understand whether the courts concerns are applicable to them, and if so how to provide protections that will meet EU standards.
Negative Economic Impact. Although this decision is a win for privacy advocates, the big question is how will this impact the fragile economies of the EU member states as well as the economy of the U.S., all of which are currently struggling from the COVID-19 pandemic and travel restrictions. Will this decision have a further negative impact, and if so, to what extent? If companies whose primary business is online retail cannot service customers in the EU, then it is likely those companies will see revenues and profits impacted, in some cases severely.
Swiss-U.S. Privacy Shield Framework. The CJEU decision invalidates the EU-U.S. Privacy Shield framework only. It does not invalidate data transfers from Switzerland to the U.S. under the Swiss-U.S. framework and certification. However, leading privacy experts agree that invalidation of the Swiss-U.S. framework may be coming soon.
If you are a Privacy Shield certified company there a number of steps you need to take now:
Continue to Comply: Continue to comply with your Privacy Shield obligations. The Department of Commerce has indicated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield frameworks and maintaining the Privacy Shield List;
Review Vendor Relationships: Review your vendor relationships; identify your downstream vendors and those you have agreements with that either include Privacy Shield language or whose Privacy Shield certification you rely on in order to transfer data;
Review Privacy Notices: Review your privacy notices to determine the impact of this decision on your Privacy Shield program and related Privacy Shield affirmations in your notice;
Review Training and Communications: Review your employee training materials and employee communications to identify where you address Privacy Shield requirements and take note of areas of potential change; and
Review SCCs and BCRs: Review the standard contractual clauses identified by the CJEU in its decision 2010/87 in order to determine applicability to your organization. Also, depending on your corporate structure, binding corporate rules, or BCRs, may be a viable option for transferring data from affiliates in the EU to the US.
What are Standard Contractual Clauses?
SCCs are a set of contractual requirements that the EU sender and the non-EU receiver of personal data both agree to. SCCs were drafted as a means of protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with Article 46 of the EU General Data Protection Regulation. The SCCs are specifically intended to address privacy and data protection requirements in territories that are not considered to offer adequate data protection or rights for data subjects.
In order to use SCCs to transfer personal data out of the EEA they must be adopted completely and be unaltered. SCCs can be included in a general services contract and include additional safeguards and clauses so long as any additions do not conflict with SCC requirements or infringe on data subject rights. The European Commission has issued SCCs for both data controllers and data processors.
What are Binding Corporate Rules?
BCRs were developed by the EU Article 29 Working Party to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU data protection laws. BCRs are a set of internal terms and conditions that corporations must adhere to when transferring data from affiliates in the EU to affiliates outside of the EU, including the U.S. BCRs must be approved by the data protection authority in each EU member state in which the organization will rely on the BCRs, however the EU has developed a mutual recognition process under which BCRs approved by one member state’s data protection authority may be approved by the other relevant states.
How Sentinel Can Help
Sentinel and our team of privacy experts have the experience and background to assist in navigating these uncertain waters. Specifically, Sentinel can assist your organization with the following:
Reviewing your privacy notices, training and employee communications and determining impact and areas of potential impact.
Determining the applicability of SCCs and developing an approach for implementation.
Reviewing third-party relationships and identifying which relationships may require updates or implementation of SCCs to satisfy downstream data transfers.
Helping to evaluate applicability of binding corporate rules and assist in drafting and submitting applications for approval.