Last week, the top court in Europe struck down the Privacy Shield agreement that governed data transfers between the United States and Europe with regards to General Data Protection Regulation (GDPR) compliance requirements. As one might expect, this sudden halt will create serious problems for the 5,300+ US companies that had been participating in the program. However, the effects of this decision potentially extend to US business partners all over the world.
EU-US data transfers hamstrung
While the terms of this decision apply specifically to EU-US data transfers, it also limits the sharing of European citizen data with other countries via companies in the United States. As Peter Swire, Alston & Bird privacy & data security practice senior counsel, explains: ” … The Court now requires each national data protection authority ‘to suspend or prohibit a transfer of personal data to a third country,’ such as the U.S. or China, to prevent transfers to a country whose government can gain access to personal data under protections that are less than essentially equivalent to those under E.U. law … On SCCs, the court appears to put E.U. trade at risk with other third countries such as China and Russia, which also don’t have a judge examining each part of national security surveillance.”
Established in 2016, Privacy Shield enables EU and US companies to move data back and forth for business purposes with relatively little legal friction. Though Privacy Shield is eliminated, the terms of the existing Standard Contractual Clauses (SCCs) that underpin these relationships between international companies remain valid. EU and US companies appear to be able to transfer data under SCCs for the moment, but they must hash these out between themselves and the SCCs must comply with all of the terms of the GDPR. Some companies (such as Microsoft) have already issued statements indicating that they believe that their existing SCCs are adequate to comply with the new terms.
The invalidation of Privacy Shield was not the case outcome that most legal observers were expecting. The ruling has thrown certain US companies into chaos as they scramble to find an alternative means of data transfer. The trouble with these alternative means is that they tend to involve routing through third countries, few of which meet Europe’s privacy standards.
Luxembourg’s European Court of Justice, the highest court before which this case can go, decided that Privacy Shield was not compliant with GDPR. The challenge to Privacy Shield originates from legal action brought by EU privacy advocates headed by Max Schrems, who has made something of a career out of challenging European privacy laws over the past decade. The case dates back to the Snowden revelations of 2013, with the core argument being that the scope of US surveillance exceeds the terms agreed to under Privacy Shield. In 2015, Schrems successfully argued to have the prior data privacy agreement (the Safe Harbor Privacy Principles) overturned on this basis.
“Data transfers” in this case include not just business communications, but any EU citizen personal information that these companies transfer among themselves. That means serious implications for social media companies such as Facebook, and for tech companies such as Google that deal in email or in targeted advertising. However, there is a class of “necessary” data transfers that are exempted from this ruling; these are communications initiated on the data subject end that are required to procure a service, for example receiving an email confirmation of a hotel booking or vehicle reservation. These appear to stem from the derogations established in Article 49 of the GDPR.
David Dumont, data privacy partner at Hunton Andrews Kurth based in Brussels, examined these terms and potential exceptions in greater detail: “Businesses that rely on the SCCs will be required to evaluate each data transfer recipient to determine whether the recipient offers an ‘adequate level of protection.’ This will mean assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes and, if so, what safeguards are available. Most businesses are not readily able to make those assessments … Urgent guidance will be required from data protection regulators as to what practical level of scrutiny they expect from businesses relying on SCCs … The Court pointed to the derogations listed in the GDPR as potential alternatives, but for most data transfers these are likely to be cumbersome to use. Otherwise, the available options are the SCCs and BCRs.”
The ruling should thus not disrupt international services at the consumer end, but will have a dramatic impact on companies that send data in bulk to other countries to process. A likely immediate effect is that European companies will shift to data processors within Europe to ensure that they are compliant.
If a data controller finds that an international partner outside of Europe does not have privacy laws that are at least equivalent to the GDPR in strength, they are now legally required to cease data transfers to that partner (outside of the “necessary exemptions” category).
Grace period requested; But will SCCs survive?
Given the potentially devastating effect this ruling could have, American business groups (such as the International Association of Privacy Professionals) have put out a call for a grace period to give organizations adequate time to adjust their data transfer practices. An appropriate transitional period was established in 2015 when Safe Harbor was invalidated, and these businesses are hoping this is done once again. Aaron Simpson, privacy partner with Hunton Andrews Kurth, outlined the potential damage and the confusion that companies are currently facing: “Unimpeded data flows are hard-wired into global commerce today. This decision not only creates impediments, in some ways it creates a roadblock between the EU and the US … For international businesses that rely on global data flows, this decision is a perfect storm of sorts. We expected questions on the margins about the Standard Contractual Clauses, but what actually resulted was the elimination of the Privacy Shield and significant concerns about the Standard Contractual Clauses, especially when those SCCs are used in support of transfers to the US.”
In the meantime, SCCs continue to be under fire. Schrem’s privacy group NOYB continues to argue that they should be invalidated due to the pervasiveness of American government surveillance. If government monitoring of private businesses continues to be at the level that they allege, all data transfers to the US would be in breach of the requisite data protection law regardless of any SCC agreements.
Though SCCs can now be scrutinized more closely, there is a great deal of question as to whether they actually will be. This will be the responsibility of each data protection authority (DPA), particularly the chief DPA in Ireland responsible for regulating the tech giants based there. DPAs already tend to be backed up with cases and presently do not appear to have the manpower to take on the combing over of potentially thousands of data transfer mechanisms for compliance.
Data importers that are potentially impacted by the Privacy Shield ruling are advised to wait for guidance that is expected to be imminently forthcoming from the European Commission. The European Data Protection Board may also weigh in on binding corporate rules for international data transfers.