News sources reported this month that the Irish data protection authority (DPA) had sent Facebook a preliminary order that would prohibit the transfer of information about European Union (EU) residents to US Facebook users. Facebook will appeal the order. This may be only the beginning of a cascade of orders that threaten to interrupt social media and other forms of internet-based commerce between Europe and the US. How did this happen?
These events can be traced to May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA), which includes the EU, Iceland, Liechtenstein, and Norway. In addition to regulating data protection and privacy within those areas, it also regulates the export of personal data to any country outside the EEA. The regulation applies, for example, if personal data about someone in the EEA is transferred to a service provider outside the EEA.
Chapter V of the GDPR prohibits such transfers of personal data unless the European Commission has determined that the data protection regulations of the third country are adequate, or unless the transfer falls under a national exception to the rules (a so-called derogation), or unless appropriate measures are in place safeguarding the personal data. Examples of such appropriate measures are Binding Corporate Rules, designed for internal transfers within multinational organizations, and Standard Contractual Clauses (SCCs). SCCs, issued by the European Commission, allow companies to transfer data outside of an organization.
The European Commission has issued adequacy decisions making it easy to transfer personal data to a limited number of countries, but no such decision applies to the United States. The EU-US Privacy Shield was designed to give an alternative mechanism to companies to comply with the GDPR when transferring personal data from the EEA to the US. The Privacy Shield was instituted in rapid response to the success of Max Schrems, an Austrian, in challenging a predecessor arrangement, the EU-US Safe Harbor Framework. Acting on Mr. Schrems’s complaint filed in Ireland, the Court of Justice of the European Union held the Safe Harbor to be invalid in light of the expansive powers of US intelligence services and the lack of recourse for EU residents in the event of compromises of their personal information in the US.
On July 16, 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield in its Schrems II decision. Once again, the Court was concerned about US government access to personal data of Europeans. While the GDPR allows strictly necessary governmental surveillance under its principle of proportionality, the Court could not conclude that the US government follows this principle. Specifically, the Court found that section 702 of the Foreign Intelligence Surveillance Act (FISA), Presidential Policy Directive 28, and Executive Order 12333 allow the US government to conduct more extensive surveillance than strictly necessary. The Court also criticized US surveillance programs for denying Europeans actionable rights against US authorities. For these reasons, the Court found that the Privacy Shield violated the GDPR and was therefore invalid.
In addition to invalidating the Privacy Shield framework, Schrems II also imposed enhanced requirements on SCCs. While the Court did not go as far as declaring SCCs invalid, it emphasized that the clauses must ensure compliance with a level of data protection essentially equivalent to what is required by EU law. In particular, the SCCs must require suspending or prohibiting the transfer of personal data in the event of a breach of such clause, or of the impossibility of complying with them. The Court pointed out that a data importer is required to inform a data exporter of any inability to comply with the SCCs and, in consequence, to suspend the data transfer or to terminate the contract with the data exporter.
The invalidation poses a serious challenge to Facebook and over 5,000 other US companies and their EU counterparties that were relying on the Privacy Shield to support data exports to the US. The European Data Protection Board (EDPB) has said no grace period applies during which a company could continue to rely on the Privacy Shield.
With the Privacy Shield gone, SCCs now appear to be the only basis left for transfers between unrelated companies. However, EDPB has said that companies now using SCCs instead of the Privacy Shield to support data transfers from the EU to the US must conduct a case-by-case risk assessment of contemplated data transfers, taking into account the circumstances of the transfers and any supplementary measures that a company could put in place. The EDPB is silent on how to achieve that.
On August 24, one of the 17 German DPAs, the DPA for the state of Baden-Wuerttemberg, issued more detailed guidance. With regard to data transfers to the US, the following points from this guidance are noteworthy:
- The DPA will not hesitate to impose fines for continued reliance on the Privacy Shield.
- The existing SCCs alone do not ensure a level of protection essentially equivalent to what is required by EU law. The authority suggests supplementary measures such as an encryption mechanism that cannot be decrypted by US intelligence services.
- Companies should review every data transfer and should determine if the transfer remains justifiable.
- Companies should consider storing personal data in the EEA to avoid unneeded transfers.
- The DPA suggests that EU companies should negotiate supplemental contractual clauses with their service providers to demonstrate an intention to mitigate the risks associated with personal data transfers.
In short, the Privacy Shield is dead, leaving SCCs as the principal basis for transatlantic data flows that include personal information, and even the SCCs are open to question. Thus, US companies receiving personal data from the EU on the basis of SCCs should expect to be asked for further assurances regarding the security of the data that they receive. Here are some steps to consider:
- Offer to use sophisticated encryption as a means of protecting data, even if it is not clear that the encryption would thwart US intelligence agencies.
- Offer to notify the EU source of the data if the company deems itself no longer able to protect the data, which may happen if is subject to a FISA request. However, US companies should not agree to disclose the existence of a FISA request, since such disclosure is illegal.
- Be aware that, because of Brexit, Schrems II may be handled differently in the UK, which has indicated a desire not to let that decision shut down the Privacy Shield for transfers of data between the US and the UK.
- Expect Switzerland, which is not part of the EU, to follow its own path, even though it has so far followed Schrems II.
- Monitor the development of new SCCs designed to take Schrems II into account. The chair of the EDPB testified on September 3 that updating the SCCs in light of Schrems II is a high priority that it hopes to complete by year-end.
It is time for the European Commission to update the SCCs to ensure compliance with the GDPR, but it is likely that any such update will require more due diligence and ongoing monitoring on the part of EU companies dealing with US counterparties.