If your company is one of the 5378 who have certified under U.S. #Privacy Shield, your world got rocked last night. /1
— Your CCPA “Do Not Sell” Link is Not Conspicuous (@tara_aaron) July 16, 2020
If you are a company in the U.S. that collects personal information on people in the European Union, your world got rocked last Thursday morning. (Do you see how early I had to get out of bed that day?)
Privacy Shield Background
Since 2016, the European Union has agreed to allow personal data of its people to be transferred into the United States under a couple of mechanisms, one of which was the Privacy Shield. The reason this mechanism was necessary is that the EU never viewed the U.S. as a country with adequate protections in place to safeguard personal information.
The US government’s ability to get at personal information was of special concern, particularly after the Edward Snowden revelations about the PRISM surveillance program. Since U.S. law didn’t adequately protect personal information, companies had to step up and ensure that they would protect the information. One way they could do this is through certifying that they complied with all the data security measures of the Privacy Shield and by registering as a certified company with the U.S. Department of Commerce. As of Friday morning, there were 5378 U.S. companies registered as certified.
Until 2019, every time Privacy Shield came up for review, the EU agreed to extend it. That meant that U.S. companies could obtain and process EU persons’ information without having to rely on any other transfer mechanisms.
Changing Landscape
Between 2016 and this year, though, the data protection scene in Europe changed dramatically. The General Data Protection Regulation came into effect in May 2018. It states more clearly than any previous legislation that the fundamental rights of persons in the EU, including their right to privacy, are to be respected at all levels. Immediately, privacy activists in Europe began bringing lawsuits against companies they believed were not in compliance, most notably Facebook.
In the meantime, the EU was becoming increasingly skeptical that the US was living up to the promises it made during Privacy Shield negotiations. For example, adequate safeguards required by the EU included a tribunal that would protect EU fundamental rights from overreach by law enforcement. The Foreign Intelligence Surveillance Act was of particular concern because it lacks any data minimization or purpose limitations with respect to non-U.S. targets. The US appointed a “Privacy Shield ombudsman,” but not a tribunal to handle cases of government overreach.
The Case Against Privacy Shield
All of this was in the background when the activists’ case against Facebook made it to the European Union Court of Justice (ECJ). The main question put to the ECJ was whether Privacy Shield was sufficient to safeguard EU persons’ information in the context of a transfer to the United States. I’ll spare you the details – the ECJ said no. Privacy Shield is no longer an adequate mechanism because between the Foreign Intelligence Surveillance Act, the US’s failure to meet the compliance standards of the Privacy Shield negotiations, and our general lack of strong data protection laws (CCPA not withstanding), the ECJ did not believe that a company could promise to protect fundamental rights when the US government could interfere without redress.
So if you are a US company relying on Privacy Shield to service EU customers, as of now your reliance is no good. It’s worth noting that the U.S. Department reminds you on its homepage that you still need to keep in compliance to maintain certification, but I’m not sure what the point is anymore, unless all your customers are in Switzerland.
What’s Next?
So now you need a new mechanism. But about those:
There are five ways the GDPR contemplates for allowing EU persons’ data out of the EU. The first, an adequacy decision, never applied to the U.S. The second, the Privacy Shield, is dead.
So now we’re down to three.
There is a mechanism known as Binding Corporate Rules, which are meant to be the gold standard but (1) your company would need to be a subsidiary of an EU company for that to apply (2) none of them have been approved by the EU authorities yet and (3) they are likely to go the way of Privacy Shield soon, and for the same reasons.
Two left.
The GDPR contemplates allowing companies to contract privately, under clauses essentially drafted by the EU government (“Standard Contractual Clauses”) when no other mechanism applies. These Clauses survived the ECJ decision, but not really:
Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned.
(From Paragraph 135). If the EU originator (controller) of the data does not reasonably believe that the processor in the other country can meet the obligations in the Standard Contractual Clauses, including because of government interference (like FISA), then the processor can’t send the data to that controller anymore.
If your processors haven’t called yet and said they’re not sending you any more data, it’s worth getting the Standard Contractual Clauses in place. There may be an argument to be made for smaller processors that they aren’t at as much risk of FISA surveillance. But I can’t guarantee it will work.
One ground remains
Fortunately, there is still the very last ground (really two but they both fall under Article 49 of the GDPR so I can combine them) – consent and necessity. Article 49 states that absent any other grounds, a transfer can occur when:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
Consent is messy – “explicit consent” is worse. “Contractual necessity” may be the best answer for companies who really do perform essential services to EU controllers, as long as the transfers are “occasional.” I’ll explain what that means and who can likely best benefit from it next time.