Privacy Shield Revocation Greatly Complicates International Data Transfers; Is a Grace Period in the Works?

 In FVEY, P5

Last week, the top court in Europe struck down the Privacy Shield agree­ment that gov­erned data trans­fers between the United States and Europe with regards to General Data Protection Regulation (GDPR) com­pli­ance require­ments. As one might expect, this sudden halt will create seri­ous prob­lems for the 5,300+ US com­pa­nies that had been par­tic­i­pat­ing in the pro­gram. However, the effects of this deci­sion poten­tial­ly extend to US busi­ness part­ners all over the world.

EU-US data transfers hamstrung

While the terms of this deci­sion apply specif­i­cal­ly to EU-US data trans­fers, it also limits the shar­ing of European cit­i­zen data with other coun­tries via com­pa­nies in the United States. As Peter Swire, Alston & Bird pri­va­cy & data secu­ri­ty prac­tice senior coun­sel, explains: ” … The Court now requires each nation­al data pro­tec­tion author­i­ty ‘to sus­pend or pro­hib­it a trans­fer of per­son­al data to a third coun­try,’ such as the U.S. or China,  to pre­vent trans­fers to a coun­try whose gov­ern­ment can gain access to per­son­al data under pro­tec­tions that are less than essen­tial­ly equiv­a­lent to those under E.U. law … On SCCs, the court appears to put E.U. trade at risk with other third coun­tries such as China and Russia, which also don’t have a judge exam­in­ing each part of nation­al secu­ri­ty sur­veil­lance.”

Established in 2016, Privacy Shield enables EU and US com­pa­nies to move data back and forth for busi­ness pur­pos­es with rel­a­tive­ly little legal fric­tion. Though Privacy Shield is elim­i­nat­ed, the terms of the exist­ing Standard Contractual Clauses (SCCs) that under­pin these rela­tion­ships between inter­na­tion­al com­pa­nies remain valid. EU and US com­pa­nies appear to be able to trans­fer data under SCCs for the moment, but they must hash these out between them­selves and the SCCs must comply with all of the terms of the GDPR. Some com­pa­nies (such as Microsoft) have already issued state­ments indi­cat­ing that they believe that their exist­ing SCCs are ade­quate to comply with the new terms.

The inval­i­da­tion of Privacy Shield was not the case outcome that most legal observers were expecting. The ruling has thrown cer­tain US com­pa­nies into chaos as they scram­ble to find an alter­na­tive means of data trans­fer. The trou­ble with these alter­na­tive means is that they tend to involve rout­ing through third coun­tries, few of which meet Europe’s pri­va­cy stan­dards.

Luxembourg’s European Court of Justice, the high­est court before which this case can go, decid­ed that Privacy Shield was not com­pli­ant with GDPR. The chal­lenge to Privacy Shield orig­i­nates from legal action brought by EU pri­va­cy advo­cates headed by Max Schrems, who has made some­thing of a career out of chal­leng­ing European pri­va­cy laws over the past decade. The case dates back to the Snowden rev­e­la­tions of 2013, with the core argu­ment being that the scope of US sur­veil­lance exceeds the terms agreed to under Privacy Shield. In 2015, Schrems suc­cess­ful­ly argued to have the prior data pri­va­cy agree­ment (the Safe Harbor Privacy Principles) over­turned on this basis.

“Data trans­fers” in this case include not just busi­ness com­mu­ni­ca­tions, but any EU cit­i­zen per­son­al infor­ma­tion that these com­pa­nies trans­fer among them­selves. That means seri­ous impli­ca­tions for social media com­pa­nies such as Facebook, and for tech com­pa­nies such as Google that deal in email or in tar­get­ed adver­tis­ing. However, there is a class of “nec­es­sary” data trans­fers that are exempt­ed from this ruling; these are com­mu­ni­ca­tions ini­ti­at­ed on the data sub­ject end that are required to pro­cure a ser­vice, for exam­ple receiv­ing an email con­fir­ma­tion of a hotel book­ing or vehi­cle reser­va­tion. These appear to stem from the dero­ga­tions estab­lished in Article 49 of the GDPR.

David Dumont, data pri­va­cy part­ner at Hunton Andrews Kurth based in Brussels, exam­ined these terms and poten­tial excep­tions in greater detail:  “Businesses that rely on the SCCs will be required to eval­u­ate each data trans­fer recip­i­ent to deter­mine whether the recip­i­ent offers an ‘ade­quate level of pro­tec­tion.’ This will mean assess­ing what type of per­son­al data is being trans­ferred, how it will be processed, whether it may be sub­ject to access by gov­ern­ment agen­cies for sur­veil­lance pur­pos­es and, if so, what safe­guards are avail­able.  Most busi­ness­es are not read­i­ly able to make those assess­ments … Urgent guid­ance will be required from data pro­tec­tion reg­u­la­tors as to what prac­ti­cal level of scruti­ny they expect from busi­ness­es rely­ing on SCCs … The Court point­ed to the dero­ga­tions listed in the GDPR as poten­tial alter­na­tives, but for most data trans­fers these are likely to be cum­ber­some to use. Otherwise, the avail­able options are the SCCs and BCRs.”

The ruling should thus not dis­rupt inter­na­tion­al ser­vices at the con­sumer end, but will have a dra­mat­ic impact on com­pa­nies that send data in bulk to other coun­tries to process. A likely imme­di­ate effect is that European com­pa­nies will shift to data proces­sors within Europe to ensure that they are com­pli­ant.

If a data con­troller finds that an inter­na­tion­al part­ner out­side of Europe does not have pri­va­cy laws that are at least equiv­a­lent to the GDPR in strength, they are now legal­ly required to cease data trans­fers to that part­ner (out­side of the “nec­es­sary exemp­tions” cat­e­go­ry).

Grace period requested; But will SCCs survive?

Given the poten­tial­ly dev­as­tat­ing effect this ruling could have, American busi­ness groups (such as the International Association of Privacy Professionals) have put out a call for a grace period to give orga­ni­za­tions ade­quate time to adjust their data trans­fer prac­tices. An appro­pri­ate tran­si­tion­al period was estab­lished in 2015 when Safe Harbor was inval­i­dat­ed, and these busi­ness­es are hoping this is done once again. Aaron Simpson, pri­va­cy part­ner with Hunton Andrews Kurth, out­lined the poten­tial damage and the con­fu­sion that com­pa­nies are cur­rent­ly facing:  “Unimpeded data flows are hard-wired into global com­merce today.  This deci­sion not only cre­ates imped­i­ments, in some ways it cre­ates a road­block between the EU and the US … For inter­na­tion­al busi­ness­es that rely on global data flows, this deci­sion is a per­fect storm of sorts.  We expect­ed ques­tions on the mar­gins about the Standard Contractual Clauses, but what actu­al­ly result­ed was the elim­i­na­tion of the Privacy Shield and sig­nif­i­cant con­cerns about the Standard Contractual Clauses, espe­cial­ly when those SCCs are used in sup­port of trans­fers to the US.”

In the mean­time, SCCs con­tin­ue to be under fire. Schrem’s pri­va­cy group NOYB con­tin­ues to argue that they should be inval­i­dat­ed due to the per­va­sive­ness of American gov­ern­ment sur­veil­lance. If gov­ern­ment mon­i­tor­ing of pri­vate busi­ness­es con­tin­ues to be at the level that they allege, all data trans­fers to the US would be in breach of the req­ui­site data pro­tec­tion law regard­less of any SCC agree­ments.

Each nation­al DPA now required to sus­pend or pro­hib­it a trans­fer of #per­son­al data to a third coun­try with pro­tec­tions that are less than equiv­a­lent to those under #GDPR. #PrivacyShield #respect­da­ta Click to Tweet

Though SCCs can now be scru­ti­nized more close­ly, there is a great deal of ques­tion as to whether they actu­al­ly will be. This will be the respon­si­bil­i­ty of each data pro­tec­tion author­i­ty (DPA), par­tic­u­lar­ly the chief DPA in Ireland respon­si­ble for reg­u­lat­ing the tech giants based there. DPAs already tend to be backed up with cases and present­ly do not appear to have the man­pow­er to take on the comb­ing over of poten­tial­ly thou­sands of data trans­fer mech­a­nisms for com­pli­ance.

Data importers that are poten­tial­ly impact­ed by the Privacy Shield ruling are advised to wait for guid­ance that is expect­ed to be immi­nent­ly forth­com­ing from the European Commission. The European Data Protection Board may also weigh in on bind­ing cor­po­rate rules for inter­na­tion­al data trans­fers.

CPO Magazine source|articles

Recommended Posts

Start typing and press Enter to search