Published on September 15, 2020
The CJEU’s decision to end the Privacy Shield has left everyone wondering: What’s next? As of this writing, there are over 5,000 U.S. companies certified under the Privacy Shield framework, and many of them are now struggling to determine how to maintain lawful cross-border data transfers.
In order to face the challenges ahead, it is helpful to understand exactly how we got here. Prior to the Privacy Shield, there was the Safe Harbor. The Safe Harbor Privacy Principles, like the Privacy Shield, provided a legal framework for the transfer of data from the EU to the US. Although the United States did not qualify as a country that provided adequate protections, US companies that self-certified adherence to the Safe Harbor Principles were considered to meet the EU data protection requirements and therefore could continue receiving data from the EU.
The inevitable fall of the Safe Harbor agreement all started when Maximilian Shrems, an Austrian law student, did a semester abroad in California. He heard firsthand from a Facebook employee that the company considered EU privacy laws to be virtually inoperable, as there were no consequences for not complying with them. Not long after this disclosure, the Edward Snowden leaks revealed the National Security Agency’s PRISM program, which collected vast amounts of internet communications and personal data on foreigners directly from the servers of US companies, including Facebook.
The revelation initiated Shrems to bring his first complaint to the Irish Data Protection Commissioner (DPC) in 2013, where he argued that the transfer of his personal data from Facebook Ireland, Ltd. to Facebook USA should be prohibited based on the company’s involvement with the PRISM program. Facebook’s mandatory compliance with the NSA to turn over personal data clearly showed the company could not also meet the adequate protections that EU law required, even under the Safe Harbor. In 2015, the CJEU ruled the Safe Harbor was invalid.
The US Department of Commerce and the Article 29 Working Party (which became the European Data Protection Board) got to work on creating a new framework to ensure that the EU-US transfer of data could continue, and in 2016 the Privacy Shield was adopted.
While the Privacy Shield aimed to address the issues that invalidated the Safe Harbor agreement, Shrems again brought a complaint against Facebook alleging the same concerns he had had previously: his fundamental data protection and privacy rights under EU law were not upheld when his personal data was transferred to Facebook’s headquarters in the United States, even under the Privacy Shield. And again, in 2020, the CJEU sided with Shrems and invalidated the Privacy Shield, but upheld SCCs and BCRs if additional safeguards ensured that personal data flowing to non-EU countries remained adequately protected.
Which brings us to today… How can companies that relied on the Privacy Shield agreement continue transferring data from the EU and fully comply with all of the EU’s data protection and privacy laws?
Unfortunately, the current options are limited and confusing. So much so that the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), published guidance to those affected businesses stating in sum:
The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.
The ICO further warns that any continued data transfers outside of the EU, relying solely on the Privacy Shield are now “illegal.” As it now stands, those companies previously relying on the now invalidated Privacy Shield appear to be regulated to Standard Contractual Clauses (SCCs), which are template contract clauses approved and adopted by the European Data Protection Board (EDPB). EU Companies sending PII to their corporate locations outside the EU may similarly rely on Binding Corporate Rules (BCRs).
Critical to the use of SCCs and BCRs are the required data protection “supplementary measures” that must accompany these contractual provisions. The EDPB advised that:
[w]hether or not you can transfer personal data on the basis of SCCs [or BCRs] will depend on the … supplementary measures you could put in place. The supplementary measures along with SCCs [and BCRs], following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
Unfortunately, the EDPB is yet to give specific guidance on what these “supplementary measures” should include. However, the Board does invoke the need for stringent measures that hold up against overreaching government interference:
If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent [supervisory authority].
Until thorough guidance is released, companies should take multiple steps to continue GDPR compliant cross-border data transfers and incorporate legal, technical, and organizational supplementary measures.
First, companies must conduct an initial assessment in order to have an accurate understanding and dynamic view of their cross-border data flows. Critically, assessments should be conducted on a regular basis to maintain this precise understanding.
Second, companies must review their existing contracts to ensure that they contain the required contractual clauses, and simultaneously prepare to rewrite these contracts in the near future once the EDPB releases their updated SCCs. Company-specific provisions should additionally be incorporated to provide the highest possible level of data protection.
Third, companies must ensure that they maintain sufficient data security protections to meet the necessary requirements under the General Data Protection Regulation. For example, following data minimization principles like deleting data as soon as it is no longer needed.
Finally, these companies must clearly and transparently communicate their cross-border data processes to the public.
Advisori’s industry-leading software and experienced privacy experts can help companies get control of all the personal data they process, specifically that data flowing outside EU borders. Our experts can also assist in a review of all existing company SCCs and BCRs to ensure that they are consistent with existing cross-border data flows. Finally, our team can review and assess a company’s existing data protection measures, and how they compare to current industry standards and practices. In the aftermath of the Schrems II decision, these three critical steps help demonstrate a company’s concerted efforts to deploy and follow the “supplementary measures” the EDPB requires.