The EU-US Privacy Shield allows companies to adhere to higher privacy standards before transferring data to the US. This system has facilitated transnational digital trade for more than 5,300 companies and served as an important instrument for the transfer of EU residents’ data to the US. However, on July 16, the Court of Justice of the European Union (CJEU) struck down this transfer mechanism, ruling that the Privacy Shield did not comply with European privacy rights.
Affected companies now have to consider alternative transfer mechanisms and we expect many to sign Standard Contractual Clauses (SCCs), which are non-negotiable legal contracts drafted by the EU and are used for transfers with non-EU countries beside the US.
What does this mean in practice?
Two issues are outstanding: whether there will be a grace period for the transition to another data transfer approach, and what it means for the practical adoption of SCCs.
Expecting a grace period
A precedent was set when the CJEU invalidated the Safe Harbour programme in 2015. Impacted companies were given a grace period to figure out how to respond to the Court’s decision by utilising a different transfer mechanism. Similarly, with the Privacy Shield, before the decision was made public, European officials stated that plans were in place to ensure commerce would not be disrupted. The European Commissioner for Justice said that the EU would work with the US “to develop a strengthened and durable transfer mechanism”. To date, there has been no formal announcement on a similar grace period to transition from the Privacy Shield to another transfer mechanism, such as SCCs.
On 23 July 2020 the European Data Protection Board (EDPB) issued a document (“FAQ Document”) stating that there is no grace period and “the court has invalidated the Privacy Shield Decision without maintaining its effects.” This means companies that continue to rely on the Privacy Shield to transfer personal data to the US are doing so illegally.
While the CJEU did not abolish the SCCs, the Court did warn that these standard contracts should be suspended by data protection authorities if the guarantees provided in them are not respected. Implementation of SCCs will be closely monitored, and companies should not take obligations under SCCs lightly. The regulators now are expected to review a company’s adherence to the signed SCCs. As such, companies need to seriously assess whether they indeed can comply with SCC requirements and, if not, rethink their operations to limit the need for such international transfers.
Another critical change is that SCCs, by themselves, do not necessarily mean transferred personal data is adequately protected. Additional safeguarding measures would be required to supplement the SCCs, bearing in mind the local laws and regulatory practices of the third country. This is especially so if these laws allow, for example, government agencies to access the transferred data without being subject to the requirements and protections afforded by SCCs.
In the FAQ Document, the EDPB states that companies need to assess their reliance on SCCs on a case-by case basis and by taking into account the details of the data transfers and any new measures put into place. If after the assessment the company comes to the conclusion that appropriate safeguards are not ensured, companies should suspend or end their data transfers outside the EU. If companies continue to transfer data despite the result of the assessment, they must notify their Supervisory Authority.
What should companies do next?
The most immediate steps for all companies impacted by this decision is to assess the impact on current personal data transfers to ‘Third Countries’ by doing a ‘Transfer Impact Assessment’. Here are a few tips on how you may want to do start doing this:
We expect that many companies that originally participated in the Privacy Shield will now have to sign and implement SCCs, as the most feasible ‘quick fix’. The ruling on July 16 will likely accelerate the need for the European Commission to update the SCCs developed under the prior EU data protection directive. As such, companies with existing SCCs and those who are adopting SCCs in light of the July 16 decision, will most likely have revisit this mechanism once the newly revised SCCs are introduced.
In the medium term, companies should monitor the pronouncements from Supervisory Authorities in the jurisdictions where they operate and expect greater scrutiny over transfers to third countries not deemed adequate. As a matter of practical operations, companies may need to consider employing technical methods such as encryption or tokenisation to change the nature of the transferred data and thus qualifying as an additional safeguarding measure that sits alongside the signed SCCs.
In the long term, companies should consider robust global mechanisms, such as “binding corporate rules” (BCRs) to meet transfer requirements and drive high data protection standards to ensure the continuity of safe data flows. Similarly, to the data transfer assessment requirement for SCCs, the EDPB states that companies relying on BCRs need to take into account the circumstances of the data transfers, and appropriate supplementary measures surrounding the transfer. It is highly important that the companies assess whether US law would impinge on the adequate level of protection the BCRs guarantee. If the data transfer assessment shows that taking into account the circumstances of the data transfer and the supplementary measures, the BCRs are not ensured, companies should suspend or end the data transfers. If the company continues to transfer data despite this assessment, they would need to contact their supervisory authority.
Article 46 of the GDPR
The EDPB acknowledges the decision of the Court where the standard for appropriate safeguards in Article 46 of the GDPR should be read in light of Article 44, which states that “all provisions [in Chapter V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [GDPR] is not undermined.” In other words, if a company relies on Article 46, data subjects must be afforded “a level of protection essentially equivalent to that guaranteed within the European Union.”
Article 49 Derogations
The EDPB affirms that it is possible to use Article 49 derogations for transfer to the US and reaffirms the conditions required for each derogation as some of the derogations can only be used for “occasional use” for example, when a transfer is necessary for the performance of a contract. In such cases, the use of consent which must be explicit, specific for the particular data transfer or set of transfers and data subjects are informed to the possible risks of the transfer to a country that may not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.
It is worth noting that the alternative solutions to Privacy Shield do not offer a magic bullet to the national security concerns raised by the European courts. However, the more robust an organisation’s privacy programme the stronger its position to demonstrate compliance and build trust of customers, employees and external parties such as regulators.