The Schrems II decision handed down in July stipulated that the EU-US Privacy Shield agreement was immediately null and void for the most part, applicable only if organizations had ironclad contracts in place that guaranteed the United States government was unable to access EU resident personal data. The one big question remaining was how swiftly (and with what level of intensity) the data protection commissions (DPCs) would begin enforcing these new terms.
One major step has now been taken as the Irish DPC has ordered Facebook to cease its EU-US data transfers, potentially signaling that previously valid standard contractual clauses (SCCs) may now be off the table as usable data transfer agreements.
Schrems II, Facebook and SCCs / BCRs
The Irish data protection commission has responded to the Schrems II ruling by sending Facebook, which has its EU headquarters in Dublin along with many other tech giants, a preliminary suspension order that puts an end to the company’s use of SCCs to validate EU-US data transfers.
The Schrems II ruling is centered on the belief that, in light of the Edward Snowden leaks in 2013, the US government is indiscriminately intercepting and peeking in on international data transfers. The ruling essentially assumes that all EU users can expect to have their personal data compromised by the US government once it is transferred to that country.
The Schrems II ruling left some small amount of wiggle room by leaving SCCs and the similar binding corporate rules (BCRs) open as a potential option to grant EU citizens the requisite level of protection under the General Data Protection Regulation (GDPR). However, since Max Schrems initiated this string of lawsuits in 2013 he has insisted that instruments such as SCCs and BCRs cannot be considered as adequate to stop US government spying no matter what the terms are. It appears that the Irish DPC has come down in agreement with this interpretation of the Court of Justice of the European Union (CJEU) ruling.
The preliminary suspension order applies only in Ireland’s jurisdiction. It now goes before the EU’s other DPCs for joint approval; if that happens it becomes applicable throughout the region. Facebook has been given until the end of September to contest the decision. Given the huge amount of users the platform has, Facebook could be looking at a maximum GDPR fine of 4% of its annual revenue (or about $2.8 billion) should its data transfers be found to be out of compliance with the order.
How will trans-atlantic data transfers work?
The Schrems II ruling was unexpected and left both EU governments and organizations scrambling to cope with the fallout, with no clear functional alternative for US data transfers save taking on the expense of shifting all EU citizen data processing to entities located within the EU. EU lawmakers quickly entered into discussions about adopting a Privacy Shield alternative or drafting a stronger revised version, but there is common belief that any such measure would be a stopgap at best and would eventually be similarly struck down by the EU’s highest court.
Schrems II essentially requires that the US pass substantial data privacy reform before it can be considered a trusted data partner under the terms of the GDPR. There has been increased legislative interest in and public support for a federal-level data privacy law in the US as of late, but the progress of actual bills and discussion was essentially halted by the double whammy of the coronavirus and an especially contentious election year. It seems very unlikely that the issue will be seriously addressed until 2021 at the earliest; while there is bipartisan support for such reform, it is still far from clear how the situation will ultimately play out.
Article 46 is the relevant portion of the GDPR that must be satisfied by any mechanism for data transfers between the EU and US. The hope was that the need for “appropriate safeguards, enforceable data subject rights and effective legal remedies” could be covered by terms and procedures laid out in sufficiently strong BCRs or SCCs, but it appears that the entire concept of these contracts is sitting on the edge of total invalidation as the Schrems II decision plays all the way out.
So what options are left for organizations that require trans-Atlantic data transfers? One that has been proposed is using Canada as an intermediary, but that route is fraught with risk as well. Canada is currently considered an “adequate” data transfer partner under GDPR terms, but is overdue for review and questions have been raised about its own level of government surveillance. Even if it remains in fully adequate status, the passing of data onward to a non-trusted “third country” could be considered a breach of protection.
The most viable option is also a costly one for many organizations; simply relocating all frontend data processing to the EU and changing processes so that protected personal information is not transferred overseas. Either that, or hoping that the EU comes up with an alternative agreement that can at minimum kick the can down the road for a few years longer.