Schrems II - Where are we now for EU-US data transfers?
It has been nearly three months since the Court of Justice of the European Union invalidated the EU-US Privacy Shield.
The decision was a shock to the privacy world and businesses and specialists alike rushed to find legal alternatives that would allow them in practice to continue sharing data with the US, as they once had.
So, three months on, is the situation any clearer than it was in July?
The Privacy Shield
In 2017 the Privacy Shield was accepted by the EU as protecting the rights of EU citizens when their data was transferred to the US. To be awarded with a Privacy Shield certification, US companies were required to demonstrate that the procedures they had in place were compliant with the General Data Protection Regulation 2016/679 (GDPR).
If they obtained a certificate, companies in the EU could use the mechanism to transfer personal data with confidence that the treatment of the data would be GDPR compliant. As such, the international transfers were legal under the GDPR.
However, when Maximillian Schrems complained to the EU Court that the Privacy Shield mechanism could not adequately protect his personal data in the same way as in Europe, the Court in its preliminary decision agreed.
The Decision
Schrems pointed out that, even if American companies followed all of the principles set out in the GDPR, there were overarching national security laws in the US which allowed governments to go on what he argued were fishing expeditions and receive data about an individual or group of individuals. This meant that, Privacy Shield or no Privacy Shield, a person’s fundamental rights could be interfered with.
In the preliminary decision before Commissioner Ireland v Facebook Ireland Limited & Maximillian Schrems the Court invalidated the Privacy Shield, deciding that it did not offer adequate protection to ensure compliance with the GDPR, advising that companies must review every relevant law of the territory that they intend to transfer data to, and consider other safeguards that can be put in place.
For a full analysis of the decision, check out our article here. There is also some advice on alternative safeguards here.
Where are we now?
Three months on, there remains arguments about the wider effects of the Privacy Shield invalidation for data transfers to the US.
Practically minded privacy experts suggest that the alternative is to switch to Standard Contractual Clauses (SCCs), a safeguard which can be used under the GDPR for international data transfers from the EU to countries who do not have adequacy decisions. The SCCs are promoted by the ECJ and are valid under the GDPR. They act as a standard contract for data protection matters only, and set out the obligations on the data importer and data exporter in order to ensure that the personal data of EU citizens is protected in the same way that it would be in the EU. Indeed, the CJEU confirmed in its decision invalidating the Privacy Shield that the SCC’s are still valid, so long as they ensure an adequate level of protection.
So, can it be business as usual for US-EU data transfers, with the SCCs simply being used instead of the Privacy Shield?
Some are suggesting that this is not the case. Indeed, Maximillan Schrems’ lobby group, NOYB, has now issued 101 complaints regarding the use of SCCs with US companies. They are arguing that an analysis of the HTML source code of major EU web pages show that many companies still use Google Analytics and Facebook Connect which are based in the US. NOYB is complaining that these EU web pages are continuing to forward personal data to US web servers despite the decision that America’s security laws are not compatible with the GDPR. Their intention is to put pressure on EU DPAs who have not yet formed a view towards the SCCs, and ultimately to stop data transfers to the US until its security laws are changed.
Practical tips
For the moment, the SCCs are the only valid way to transfer data to and from the US- however, it is important to remain extra vigilant. The EDPB’s stance continues to be that the SCCs are valid for now, however, that they are often not enough alone.
In practice there must be a level of protection that is the same as that which is guaranteed by the GDPR, and if a company is based in a territory where this is impossible thanks to its national laws, SCCs will not fix this.
US cloud companies have rushed to assure their users that EU companies can continue to work with them in confidence- Microsoft, for example, promised that their customers were already protected under the SCCs before the invalidation of the Privacy Shield, and that they will only transfer data between users.
It seems that the Court has demonstrated how important a privacy by design mind set is: SCCs cannot fix a non-GDPR approach if the territory a company is based in is not compatible with the GDPR; the approach must be with the GDPR principles in mind from the outset, and the SCCs exist only to certify this.
The German data protection authority has issued guidance that those transferring to the US using SCCs should also seek additional safeguards, such as encryption which cannot be “broken by US intelligence services”, and pseudonymization where only the data exporter can re-identify the data.
What does the decision show us?
The Privacy Shield invalidation, and the concerns that have been suggested over the SCCs, demonstrate that the Court is serious about reviewing the actual practices of companies, and not just the paperwork they have in place.
Before the decision, some suggested that companies would simply sign a Privacy Shield agreement or the SCCs, never to think of them again. Now, the Court has stressed that it is not only the record-keeping of the safeguards we have put in place that will be reviewed, but the actual safeguards that we have in practice, and how effective they are.
Therefore, if you transfer to a country with extreme security laws, and it seems that there is a real possibility that these laws will be invoked, your transfer may not be valid even if you put in place all of the suggested safeguards. It is essential that you review the level of protection in practice to confirm that the protection required by SCCs and the GDPR can actually be achieved.
What next?
While the SCCs are valid for US transfers for now, the situation is uncertain and requires constant review. So, will things become more certain soon?
A special task force has been formed to handle the flood of complaints that have been filed by NOYB regarding the use of SCCs, with the EDPB board chair warning controllers that the SCCs need to be thoroughly reviewed, and there is no “one-size-fits-all, quick fix solution”.
Europe’s justice commissioner has also admitted that there will be no quick fix for this situation. Commissioners from the EU and US Department of Commerce have announced that they are already in discussions for a potential replacement of the now invalid Privacy Shield. However, there remains concerns over the US surveillance laws which do not blend well with the GDPR. As we have seen with the e-Privacy Regulation, these legislative developments take time and can be politically charged- for now, we wait.
If you have any questions about your data transfer practices, or any of your data privacy arrangements, please don’t hesitate to get in touch!
Article by Lily Morrison @ Gerrish Legal, October 2020 / Cover photo by Miltiadis Fragkidis on Unsplash