EU-US Privacy Shield
On 16 July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield in its Judgment in Case C-311/18 (Schrems II). This Judgment is of direct concern to any company which used the Privacy Shield to transfer personal data from the EU to the US, and holds wider implications regarding the legality of transferring data through the use of Standard Contractual Clauses (“SCCs”) to any non-EU country. This is the second time that the CJEU invalidated a data transfer mechanism; in 2015, the Safe Harbour principles were also declared invalid by the CJEU in Case C-362/14 (Schrems I), under relatively similar circumstances.
In our FAQs below we’ve summarised what this Judgment means for the online advertising-supported internet, which pitfalls to avoid, and where to look for more detailed guidance.
Q: What was the EU-US Privacy Shield and how did it work?
A: The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
Companies could voluntarily sign up to the Privacy Shield, committing to uphold certain standards of personal data protection and allowing individuals to submit complaints if they felt their personal data was not adequately protected. This is important because, according to the General Data Protection Regulation (“GDPR”), personal data of people residing within the EU can only be transferred to a non-EU country if their personal data receives essentially the same protection as it has under the GDPR.
The Privacy Shield was meant to bridge the gap between the standards of data protection under US law and the GDPR. Inter alia this included the establishment of an Ombudsperson to whom complaints about mistreatment of personal data could be directed, as well as ensuring a similar level of accountability.
Q: Why did the CJEU invalidate the EU-US Privacy Shield?
A: The key issue that the CJEU found with the Privacy Shield is that the US government has surveillance programs that go beyond a level that is strictly necessary. What this means in practice is that the US government’s surveillance practices would be illegal in the context of the GDPR and the EU Charter of Fundamental Rights. Furthermore, the CJEU judged that EU citizens had no actionable rights towards the US authorities. Another reason cited by the CJEU for invalidating the Privacy Shield was that the Ombudsperson was not sufficiently independent from the US Government and was not capable of making binding decisions on surveillance authorities.
Q: I am signed up to the Privacy Shield, or I am partnered with a company which uses Privacy Shield to transfer my data from the EU to the US. What do I do now?
A: The invalidation by the CJEU has immediate effect – meaning that the Privacy Shield is not considered an adequate way of protecting your user’s personal data. As a consequence, transferring data from the EU to the US solely under the Privacy Shield principles is now not compliant with the GDPR, and a supervisory authority (data protection authority) could fine you for GDPR infringement. However, it is important to seek guidance from your lead supervisory authority (usually the local data protection authority in the country where your company or its HQ is based) as they may choose to give leniency to companies due to the sudden nature of this change in the law. The next step is to seek out alternative methods for transferring personal data to the US in collaboration with your US-based partner company.
Q: How can I legally transfer data to the U.S. moving forward?
A: The GDPR provides several possibilities in this regard, but it is important to note that the judgment has also affected companies’ ability to rely on these so-called data transfer mechanisms. The most commonly used mechanisms for commercial data transfers are Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”). SCCs are pre-defined contractual clauses that can be included in agreements and bind both the sending and receiving companies to certain principles that ensure that personal data is protected beyond the borders of the European Union. BCRs are intended for inter-company data transfers, which similarly require the company to adhere to certain rules that help protect the personal data which they process in a way that is compliant with the GDPR.
Q: What are the risks of using SCCs and BCRs after the Schrems II Judgment?
A: In the Schrems II judgment, the CJEU also examined the legality of the current SCCs. While they found that the prescribed SCCs, designed by the EU Commission, were valid, the CJEU noted that by design a contractual clause has no binding effect on government institutions and authorities. In essence, this means that while SCCs can promise to protect personal data from information requests by US intelligence agencies, they cannot guarantee that protection and may have no choice in the matter. The CJEU therefore advocates approaching this on a case-by-case basis moving forward to ensure that a given data transfer to a third country is compliant with the GDPR, making it impossible to know for sure whether a set of SCCs are actually compliant or not. It will depend on the companies sending and receiving the personal data, the regulator in the target country, and the types of personal data.
Q: What can I do today to check that I’m complying with the law?
- Take stock of your data inventory and that of your partners – This change may have no impact on your company if none of the data used by it is transferred to the US. In this case it is also important to ensure that none of your partners do this, or at least to understand how they are transferring data to the US, for which purposes, and how they ensure compliance with the GDPR.
- Review contracts with partners who are based in non-EU countries – If you work with companies who have their servers based in any non-EU country, make sure that you understand how they are ensuring compliance with the GDPR. Keep in mind that if you are providing data to a partner who transfers that data out of the EU, you may still be legally accountable for that data as the controller.
- Seek guidance from your lead supervisory authority – Your supervisory authority (or data protection authority) may give leniency towards data transfers that took place under the Privacy Shield due to the sudden nature of this change in the law. Keep in mind that the EDPB has published FAQs of their own which can help alleviate some of your immediate concerns.
Q: How does this impact the online advertising supported internet?
A: While it is hard to measure the impact in specific terms, this is likely to cause a big disruption in an industry which is as global and interconnected as ours. What may be seen as a simple data transaction for our industry, such as recalling segmentation information about a particular web browser, may be seen in the eyes of the regulator as a cross-border data transfer depending on the locations of the respective servers.