Death of the privacy shield

22 Nov 2020Feature

Suzanne Dibble considers the implications for data controllers following the ruling invalidating the privacy shield

If your organisation transfers personal data from the UK/EU to the US, for instance, to Facebook or to US-based cloud servers or email service providers, you will be aware of the recent Schrems II judgment and the invalidation of the privacy shield as part of that judgment.

Even if you don’t transfer personal data to the US, but do so to other countries outside of the EU, such as China, India, Australia or South Africa, you still need to take note of the judgment, as it has a far reaching impact on any international transfer of personal data.

The case has caused something of a maelstrom in the world of international data transfers, with data controllers being left without clear guidance as to which way to proceed in order to avoid unlawful data transfers.

This article looks at why the privacy shield has been invalidated; what the judgment means for data transfers to the US (and to other countries outside of the EU); and what data controllers should be doing now to ensure that international data transfers are lawful.

A RECAP

The EU considers that it has the gold standard of data protection and it is concerned to protect the personal data of people within the EU.

If a data controller proposes to transfer personal data out of the EU, such international transfer may need additional protections before the transfer can lawfully proceed.

The EU has decided that certain countries have an adequate level of data protection regulations, so that additional protections are not necessary before the transfer to that country.

Those countries are:

Andorra
Argentina
Canada (commercial organisations only)
Faroe Islands
Guernsey
Isle of Man
Israel
Japan
Jersey
New Zealand
Switzerland
Uruguay

The European Commission is also in adequacy discussions with South Korea, so this country may also be added to the list in the near future.

It is worth noting that these adequacy decisions are kept under review; and an adequacy decision can be revoked.

Prior to the Schrems II judgment, data transfers from the UK/EU to the US would not require further protection if the US recipient of the data was self-certified with the privacy shield framework.

But if a US recipient was not privacy shield certified, transfers to the US would typically have required that standard contractual clauses (SCCs) be put into place – as would typically be required to any other country that does not have an adequacy finding.

SCCs are a form of contractual protection, with the standard wording having been pre-approved by the EU.

There are SCCs for controller to controller data transfers and separate SCCs for controller to processor data transfers.

If SCCs can’t be used for whatever reason, then unless a derogation applies (such as explicit consent from the data subject, contractual necessity, public interest, legal claim necessity and vital interests), the transfer cannot lawfully proceed.

Larger organisations may use binding corporate rules for intra group international data transfers – data protection policies that each group company within the organisation adheres to and which have been individually approved by regulators.

HISTORY OF THE PRIVACY SHIELD

It is not the first time that the framework for data transfers to the US has been challenged and invalidated.

In 2000, the safe harbour certification framework was introduced.

US organisations adhered to seven principles and 15 FAQ.

There were a number of criticisms about the safe harbour, including questionable regulatory oversight and organisations not adhering to the framework.

In June 2013, Max Schrems, an Austrian citizen and privacy activist, complained to the Irish Data Protection Commission (DPC) about Facebook transferring his data from the EU to US servers on the back of the Snowden revelations about the extent of US surveillance.

The Irish DPC referred the case to the European Court of Justice (ECJ) in June 2014; and in October 2015, the ECJ ruled that the safe harbour was invalid.

About 10 days after that judgment, it was announced that there would be a four-month grace period for data exporters to put SCCs into place (along with heated discussions about whether SCCs for US transfers offered suitable protection for data transfers).

On 1 August 2016, the privacy shield became operational and replaced the safe harbour framework.

It was based on a political agreement that had been reached on 2 February 2016 after intense negotiation about such matters as bulk collection of data, sub-processing, an ombudsperson and redress.

However, prior to the ECJ judgment being announced, Max Schrems had raised a further complaint about Facebook using SCCs for the transfer of his personal data to the US.

In October 2017, the Irish DPC referred this complaint to the ECJ.

In May 2018, the General Data Protection Regulation (GDPR) came into force.

In July 2020, the ECJ handed down judgment on Schrems II.

The judgment declared the privacy shield invalid and questioned whether SCCs would be appropriate for transfers to the US due to the unfettered ability of the US government to access personal data.

No grace period in which to put in place SCCs or take other measures to protect the personal data was provided.

There have been mixed initial responses to the judgment from the data protection regulators in EU member states.

These range from the German Data Protection Authority stating that all transfers of personal data to the US would be illegal and should cease immediately; to the UK Information Commissioner’s Office that stated that it will “continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy” and that it “understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support”.

WHAT DID THE JUDGMENT SAY?

The judgment confirmed that the GDPR applies to transfers of personal data for commercial purposes by an EU economic operator to another economic operator in a third country, irrespective of whether that data is liable to be processed by the authorities of the third country for purposes of public security and defence.

It stated that the data exporter must consider the equivalence of data protection when relying on SCCs; and consider access by public authorities of the third country and the relevant aspects of the legal system of that third country.

The judgment also confirmed that SCCs can continue to be used BUT the data exporter AND the data recipient must, on a case by case basis, determine whether the law of the third party country ensures adequate protection of personal data transferred – and must, where necessary, provide additional safeguards.

Where parties are not able to take adequate additional measures to ensure adequate protection, the data exporter is required to suspend or end the transfer.

This is particularly the case where the law of the third country is capable of impinging on contractual guarantees of adequate protection against access by public authorities of that third country to that data.

The ECJ found that there were no limitations on the power to implement US surveillance programmes; and that this therefore could not ensure an adequate level of protection.

Bulk collection of data did not correlate to the safeguards required by EU law.

The ombudsperson for the privacy shield was effectively a political appointment and so it did not offer sufficient redress for data subjects.

Therefore, the privacy shield was invalidated.

In summary:

The privacy shield is invalidated.
SCCs remain valid.
There is a heavy burden of due diligence on data exporters who wish to use SCCs (whether to US or other third country).
The data exporter must consider the law and practice of the country exporting to –especially if public authorities have access to data.
Additional safeguards may be necessary when using SCCs (whether to the US or any other third country).

We know from the European Data Protection Board (EDPB) FAQ issued after the judgment that additional safeguards may be legal, technical (such as encryption or tokenization) or organisational.

The FAQ states that the EDPB “is looking further into what these supplementary measures could consist of and will provide more guidance”.

Since publishing the FAQ, the EDPB has announced the creation of a dedicated taskforce on the supplementary measures that data exporters and importers can be required to implement to comply with the ECJ ruling.

The European Commission has also committed to publishing new SCCs that take into account the ruling.

In the meantime, the Irish DPC has issued a preliminary order to Facebook requiring it to cease sending EU personal data to the US via SCCs in line with the ruling.

WHAT THIS MEANS

So how can data controllers lawfully transfer personal data from the UK/EU to the US?

The EDPB FAQ are not enormously helpful in terms of the way forwards for data controllers (they can be viewed on the edpb.europa.eu website).

They are endorsed by the UK’s ICO – at least until the end of the transition period on 31 December 2020.

In terms of whether you can use SCCs for data transfers to the US, the FAQ state:

“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.

"The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.”

It goes on to say that if you conclude that, “taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data”.

But if you intend to keep transferring data despite this conclusion, you must notify your competent supervisory authority.

Despite this, by far the most common response of data exporters to the invalidation of the privacy shield is to put SCCs into place, whether or not ‘supplementary measures’ are available.

It’s difficult to see what supplementary measures could be put into place for transfers to the US, as these would need to prevent US authorities from accessing the personal data; and even encryption will not do that.

In the meantime, the US government and the EU are entering into negotiations to discuss what should be the successor framework to the privacy shield – a fairly tall order given the judgment and the current political position in the US.

It is not likely that there will be any easy solution to this matter any time soon.

While we are in this vacuum, UK data exporters can take some comfort from the ICO’s statement that: “The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere.

"The receiver of the data may be able to assist you with this."

The ICO says it will continue to apply a risk-based and proportionate approach in accordance with its regulatory action policy and acknowledges the “many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support”.

WHAT DOES THIS ALL MEAN?

The immediate and short-term practical implications for data controllers are illustrated in figures 1 and 2.

Looking further ahead, what will change for UK data controllers after the expiry of the transition period?

The UK government has said that at the end of the transition period, it is committed to “using its new sovereign powers to remove unnecessary obstacles to international data transfers”.

This, it says, includes developing new and innovative mechanisms for international data transfers with corresponding safeguards.

FIG 1: NOT JUST RELEVENT TO US DATA FLOWS

1   Keep alert for further guidance from regulators and revised SCCs
2   Review data flows and identify those reliant on Privacy Shield and SCCs
3   Question whether SCCs are capable of ensuring adequate protection
4   If necessary, put other safeguards in place, eg technical solutions
5   Consider whether you need to change supplier to an EU supplier or restructure operations, eg create an EU data centre

FIG 2: WHAT DOES THIS MEAN IN PRACTICE?

1   Review all data flows
2   Identify all transfers subject to SCCs
3   Assess whether protection adequate
4   Consider supplementary measures
5   Document assessment and decision

Suzanne Dibble is author of the bestseller GDPR for Dummies (available at Amazon bookstore). She is also an award-winning small business lawyer suzannedibble.com

Legal News desk contact: editorial@solicitorsjournal.com