In a landmark decision in what is popularly known as the "Schrems II" case, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield, the framework that facilitated the transfers of personal data from the European Union to the United States for thousands of companies. The court cited the breadth of National Security Agency surveillance programs (in connection with FISA Section 702 and Executive Order 12333) and the lack of redress for European individuals in connection with such surveillance of their personal data.
The court also said Standard Contractual Clauses (SCCs), the key mechanism used for cross-border transfers of data from the EU are still alive, "BUT."
The “BUT” is that the court said that each transferor (exporter of data from the EU ― i.e. you) needs to consider the legal regime in the transferee’s country and determine whether in view of the circumstances of the transfer of each case, it allows the transferor to abide by the requirements of the SCCs to provide adequate protection to EU individuals. This may need to be addressed using supplemental protections which were not listed.
What does this mean for you, a U.S.-based company? Below are ten things you should be thinking about and doing now.
1. First ― Assess Your Data Transfers
- Review all your data transfers (to third parties and to service providers), and determine which rely on Privacy Shield as the sole method of transfer.
- While doing so, inquire with your processors/subprocessors to determine which country they are processing/storing the data and/or from which country it is being accessed. Document this.
If you are using Privacy Shield as your method of transfer:
2. Find an Alternative Method of Transfer
For example, Standard Contractual Clauses (see below). Privacy Shield has been invalidated as a transfer mechanism.
3. Maintain and Keep Abiding by Your Privacy Shield Certification Obligations
These provide your clients with data protection and governance protections that go above and beyond the data protection requirements for at least non-regulated U.S. entities. As stated by U.S. Secretary of Commerce Wilbur Ross, the Department of Commerce will continue to maintain the framework. Therefore, not abiding by it is a violation subject to enforcement by the Federal Trade Commission. In addition, Ralf Sauer, Deputy Head of Unit International Data Flows & Protection at the European Commission stated in a webinar for the International Association of Privacy Professionals that maintaining this certification has another advantage as it provides an element of trust.
4. Amend Your Privacy Notice
It should clarify that you, while certified, are no longer using the Privacy Shield as your sole mechanism for cross border transfer of data.
If you already have Standard Contractual Clauses in place:
The European Commission and the European Data Protection Board (EDPB) are currently working on solutions for this. Be it "Privacy Shield Part 3" and/or updated Standard Contractual Clauses and/or guidance for what the CJEU prescribed supplemental protections would look like. In the interim, below are some ways to mitigate risk and try to set your clients/transferors at ease in connection with the transfer:
5. Assess (With Counsel) Whether or Not You Are Subject to Section 702 of FISA
While the section only applies to "electronic communications service providers," the formal definition is very broad and encompasses many, but not all, companies. Document this analysis.
6. If it Does Apply to You ― Assess Whether the Particular Circumstances of Your Transfer Render it Less Likely to Be Subject to Foreign Intelligence Investigations.
Consider, with your legal counsel:
- The nature of the data (is it human resources data? is it clinical trial data? publicly available data? is it pseudonymized or coded?)
- The type of recipient
- The purpose for which it was transferred
- Have you (or your subcontractors) ever been subject to a FISA investigation? gotten requests for data in connection with one? How many? relating to what (portion of the) information?
In view of the General Data Protection Regulation (GDPR) obligation for "accountability," it is important to document this analysis. This will also help you be very transparent about this to your clients.
7. Assess Whether There Are any Technical/Organizational Solutions That Might Be Helpful to Mitigate Risk (Even if Not Bulletproof).
- Data minimization (if you don't have it, it would be subject to surveillance)
- Storage in the EU (with or without access from the U.S. for support etc.)
- Containerized solutions where the data is stored in the EU under a trustee agreement where you don't have access to the data (think of a blind management of your investment portfolio)
- Expanded recourse mechanisms for EU individuals. Consider, for example, keeping your Privacy Shield independent recourse mechanism, or potentially getting an alternative dispute resolution mechanism to provide some redress for EU individuals' complaints.
8. Keep Apprised of What Data Protection Authorities Are Saying
That would guide what concerns your clients and what you might need to do to set them at ease. The EDPB is working on a guidance for supplemental measures to the SCCs. Those will hopefully be published in the very near term.
9. Keep in Close Contact With Your Subprocessors
This is especially true of those who are bigger and who qualify as "electronic communications service providers." Ask them about their approach, and watch for technical or other solutions they may have.
10. Consider Whether You Can Use any of the GDPR Data Transfer 'Derogations' (Art 49 of GDPR) as a Fall-back Mechanism for Your Transfers From the EU
For example, this would include using consent or transfers that are necessary for the performance of a contract. While the CJEU mentioned these specifically in the judgment, consider the EDPB guidance on using the derogations as they are not without limitations.