Privacy Shield has been invalidated creating new hurdles for the digital economy

[Read time: 6 minutes]

On July 16 2020 the Court of Justice of the European Union ("CJEU") (the top court in the European Union) issued a landmark judgement invalidating the EU-U.S. Privacy Shield framework which can be used for cross-border transfers of personal data between the United States and the European Union ("EU").   The court also confirmed that the standard contractual clauses approved by the European Commission ("Model Clauses") by themselves are sufficient to transfer personal data outside the UK and EU – however, this was qualified by the fact that they should only be used where certain strict conditions are met (press release and full judgement here and here).

These changes will significantly impact how businesses transfer personal data from the UK and EU to the USA and several other third countries. The (now invalid) EU-US Privacy Shield permitted transfers of personal data from the EU to thousands of US-based companies. Activities like using the cloud-based hosting services, Gmail, video calls on Zoom, or running CRM reports on Salesforce were all enabled by Privacy Shield.

We have set out some practical suggestions for businesses as to how to navigate this potentially tricky decision.

Background

The decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/1) ("Schrems II") is the latest challenge from Mr Schrems in relation to the transfer of personal data by Facebook Ireland to servers belonging to Facebook Inc in America due to possible access to personal data by US public authorities.  He had previously successfully challenged the Safe Harbor scheme which was then replaced by the European Commission with the EU-U.S. Privacy Shield framework.

In his most recent complaint to the Irish Data Protection Commissioner, Mr Schrems claimed the US did not offer sufficient protection regarding personal data transferred from the EU. Mr Schrems sought to suspend or prohibit data transfer from the EU to the USA by Facebook. The Irish High Court referred its questions to the CJEU as to whether the Model Clauses provided sufficient safeguards and additionally raised questions as in relation to the EU-U.S. Privacy Shield framework.  The CJEU considered this in the context of the EU General Data Protection Regulation 2016 and also the Charter of Fundamental Rights of the European Union (the "Charter") (specifically in relation to guaranteeing respect for private and family life, personal data protection and the right to effective judicial protection).

The fall of EU-U.S. Privacy Shield

In the Schrems II decision, the CJEU declared the EU-U.S. Privacy Shield framework to be invalid. 

The decision was predicated on the fact that the standard of protection afforded to EU data subjects and their personal data under GDPR and the Charter could not be guaranteed, primarily because of the disproportionate powers under US security laws and also due to the lack of enforceable rights for data subjects.

In the United States, national security, public interest and law enforcement have primacy over the GDPR and the Charter. The CJEU had particular concerns regarding the United States' Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 which give security agencies broad powers to intercept data. As a result, the CJEU held that US security agencies' ability to access personal data transferred from the EU are not limited to a way that is strictly necessary and essentially equivalent to that under the GDPR.

As regards the guaranteeing of rights of data subjects in respect of their transferred personal data, EU data subjects have no actionable rights before the courts against the US authorities. The Ombudsperson mechanism under EU-U.S. Privacy Shield does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required under Article 47 of the Charter. The Ombudsperson's lack of independence and its inability to bind the US intelligence services were two key factors in the CJEU's findings.

Can the Model Clauses still be used?

The answer now is a qualified "maybe".

Whilst the CJEU ruled the controller-to-processor Model Clauses to be valid in principle, they further said that they cannot be used if the laws of the destination country prevent recipients from complying with their obligations in the Model Clauses.

The third country must offer a level of protection of personal data essentially equivalent to the GDPR and the Charter. This does pose something of a conundrum, given that the CJEU appears to have cast doubt as to whether the US laws guarantee such protection. Mr Schrems and his backers have already signaled their intention to question whether the use of the Model Clauses is sufficient for transfers to the US.  The Irish Data Protection Commissioner will need to consider this point in light of the CJEU decision and it may look to guidance from the European Data Protection Board (whose initial set of FAQs on the Schrems II judgement can be found here).  We can, therefore, expect further developments.

There are, of course, other non-EU states which of which the same concerns could be raised – these findings are applicable to any export of personal data to non-EU states.

In summary, the CJEU decision made the following observations on how Model Clauses can be used:

  1. The relevant data exporter must look at the relevant aspects of the legal system of the non-EU data importer, in particular regarding access by public authorities and how they relate to the GDPR and Charter. The data exporter must verify and document the level of protection on a case-by-case basis pre-transfer (possibly in collaboration with the data importer).
  2. If there is not adequate protection as required by the GDPR and Charter, the data exporter must consider supplementing the Model Clauses with additional safeguards that mitigate the CJEU's concerns. For example, set out a process for if a federal government request is received to access personal data received from the UK or EU; discuss the likelihood of a particular practice area receiving a FISA request; consider whether end-to-end encryption is practical.
  3. The Model Clauses require that the parties suspend transfers of personal data if the mechanisms in the Model Clauses that afford an adequate level of protection cannot be honoured. For example, the data importer must notify the data exporter of its inability to comply with the Model Clauses, and as a consequence the data exporter must suspend the transfers of the personal data or terminate. This requires the parties to be proactive in monitoring and checking the operation of the Model Clauses – businesses will need to have more regard to the data protection and security laws of non-EU states where their data subjects' personal data are processed.
  4. If competent supervisory authorities in the EU state of the data exporter believe the Model Clauses cannot be complied with, then the relevant competent supervisory authority must step in and prohibit the transfer.

Challenges for a post-Brexit Britain

The UK remains subject to EU law, including CJEU decisions, during the transitional period until 11 p.m. on 31 December 2020.  The Schrems II decision complicates an already difficult diplomatic negotiation as the UK seeks a data protection adequacy decision from the European Commission so that data flows with the EU can continue unrestricted.  The UK is now ostensibly "caught in the middle". However, the EU will be concerned that if companies transfer EU citizens’ data to the UK, the UK might in turn allow for data to be transferred to the US – which in turn could mean that an adequacy decision becomes less likely.

What next?

It is undeniable that at the time of writing, there is considerable uncertainty as regards transfers of personal data to the US. Businesses have become increasingly reliant on digital and cloud-based services where suppliers use subsidiaries and other suppliers based in the US.  Unravelling this supply chain will take some doing. 

The various supervisory authorities in EU member states have been issuing press releases and guidance as to how they will approach his change.  There are signs of a divergence in approach – so, for example, a number of German data protection authorities have openly stated that they believe that transfers to the US will be unlawful even under the Model Clauses.  Others have taken a more qualified approach and stated that there are risks of non-compliance.  This is an area that should be monitored over the coming months until there is some consistency in approach.

Key practical considerations are as follows:

  1. Due diligence: Review where your personal data goes and (where relevant) amend any records of processing activities in relation to how personal data is transferred outside the UK and EU. Data processing clauses, agreements and addendums may need updating to remove references to Privacy Shield. Prioritise critical service agreements and those arrangements that touch countries that have more intrusive national security and surveillance laws than the EU.
  2. Is there a grace period? Unfortunately, not as it currently stands. EU-U.S. Privacy Shield has been invalidated with immediate effect.  However, supervisory authorities may need a few weeks to establish their approach before they start any form of enforcement action. We may see some supervisory authorities looking to reassure businesses and give time for them to address the issues.
  3. US transfers: Companies relying on the Privacy Shield framework to meet the GDPR's cross-border rules should turn to another method of compliance.  Similarly, businesses should engage with suppliers in the US or who have operations in the US and establish how they propose to protect personal data and to require them to adopt another method of compliance.  In virtually all cases this is likely to be the Model Clauses (although international groups may use Binding Corporate rules and there are derogations where, for example, data subject consent has been obtained).
  4. Model Clauses and self-assessments: These CJEU's decision means that businesses that transfer personal data out of the EU will need to perform a self-assessment to establish whether the Model Clauses can be used with regards to a specific transfer to a third country. This will mean analysis of the nature and extent of data to be transferred and also consideration of the legal safeguards available in the destination state and the extent of their surveillance laws. Businesses may need to supplement their documentation for Model Clauses with additional safeguards, and implement mechanisms
  5. Ongoing monitoring:  Businesses will need to ensure that compliance with the Model Clauses is monitored and documented.

Hopefully there will be some regulatory guidance forthcoming in the next few weeks. The ICO and EDPB both appear to appreciate the difficult situation various data exporters find themselves in (see here and here their press releases that were made within 1 day of the judgement and the EDPB's FAQs that was published within 1 week of the judgement).

If you would like to discuss any of the issues raised in this article, or have other concerns about the processing of personal data, please contact Nathaniel Lane or Tom Torkar in our Commercial team, or your usual Michelmores' contact.

This article is for information purposes only and is not a substitute for legal advice and should not be relied upon as such. Please contact our specialist lawyers to discuss any issues you are facing.