On July 16, the European Union’s Court of Justice (CJEU) struck down the Privacy Shield agreement but left Standard Contractual Clauses (SCC) intact. The Court invalidated the Privacy Shield data-sharing agreement between the EU and the US due to invasive US surveillance laws. Now, businesses are scrambling to figure out if they can continue to transfer their data between the EU and the US.
So, What’s Next? None of Your Business.
NOYB is a non-profit organization based in Vienna, Austria, established in 2017, fighting for privacy rights across the EU. In the latest tribulation surrounding the NOYB project “EU-US Data Transfers,” Max Schrems and NOYB are planning to challenge Facebook by August 14. NOYB sent an open letter to the Irish Data Protection Commissioner (DPC), accusing the DPC of acting too slowly against Facebook. It has been over seven years and five court rulings since the filing of the original complaint. The Irish DPC’s sluggish pace deprives European Citizens of their rights under the GDPR because Facebook is carrying on with business as usual in the meantime.
After the Schrems I decision eliminated the Safe Harbor agreement, The Irish DPC still has not made a final ruling on the Schrems complaint that Facebook was not complying with GDPR. Instead, The DPC brought a case against Facebook and Schrems, which is what again brought the issue of data transfer to the CJEU as Schrems II. Facebook’s argument that they were complying with the US law as agreed under privacy shield, although not signed up for privacy shield, lead to the CJEU decision striking down Privacy Shield. Facebook’s claim that they are compliant under Standard Contract Clauses (SCC) remains an issue for NOYB because Facebook can still attempt to transfer data using SCC, which was still considered valid by the CJEU.
There is no grace period for the elimination of Privacy Shield. Companies must look at the decisions of individual countries’ data privacy regulators. The FTC and the US Department of Commerce, which negotiated the agreement, still require Privacy Shield participants to oblige the requirements. However, participants can leave the Privacy Shield at any time. Companies can show they are serious about privacy by continuing to uphold the Privacy Shield even if the US surveillance laws potentially invalidate their SCC because of their business line. Invalidation can occur if a company must comply with FISA or other surveillance laws.
The International Association of Privacy Professionals (IAPP) is compiling a great resource center as data protection authorities (DPAs), and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world.
A Case by Case Decision
The CJEU decision to strike down the Privacy Shield lead to the assumption that SCC still allows the transfer of data. The GDPR restricts transfers of personal data outside the European Economic Area. However, Article 49 of the GDPR – derogations for specific situations, is a starting place for companies needing to examine if their reasoning for data transfer is potentially necessary. Still, article 49 is not the sole place to look for SCC compliance. Yes, SCC is still valid; however, using SCC requires a case by case analysis according to the relevant US law. For example, the FISA surveillance laws at issue in the CJEU decision.
Do’s and Don’ts
Per the EDPB FAQs on the “Schrems II” judgment, NOYB’s preliminary recommendation is that controllers take the following steps:
- Review all your external data flows (including to EU processors or controllers that in turn may transfer data to a non-EU entity) for data flows to third countries
- Identify the relevant legal basis (e.g., Adequacy, Article 49, Privacy Shield, SCCs, etc.)
- In relation to 50 USC § 1881a (= FISA 702) and EO 12.333 identify especially any US “electronic communication service providers” and any data flow to the US that is not secured against wiretapping by the NSA
- Stop your data transfers if:
- You or one of your partners still use the Privacy Shield
- A relevant US entity is an “electronic communication service provider” or
- You cannot protect your data flows from NSA wiretapping
- Notify the DPA if you continue to use SCCs, BCRs or any other instrument despite a negative assessment
Do You Have an Accurate Inventory of Your Data?
The Schrems cases are about preventing data transfer overseas. International Companies need to know where they are storing and transferring data. Issues can arise if a company is transferring a European citizen’s data to the US. The bottom line, companies must locate their data, identify it, analyze it, and minimize it. Guidance on data minimization as part of an effective privacy program can be found here. One result would be to store data on European citizens in Europe, separate from data in the United States, and not transfer it. The push for data localization is becoming more prominent as countries want to keep their citizens’ data within its borders.
Companies need to know what data they are storing, where they are storing data, and where they are transferring it across geographies. This knowledge will allow for quicker decision making and an ability to comply with the GDPR as circumstances change. Ardent Privacy provides nimble, easy-to-use, and high-speed data minimization solutions to discover, identify, inventory, map, minimize, and securely delete personal data. Our fast methods utilize machine learning and artificial intelligence to report on large data sets in hours rather than days.
Companies with any questions or need help figure out the most appropriate way to continue transferring data should contact the European Commission, the proper EU national data protection authority, or legal counsel.
The crucial first step of data, security compliance, is knowing what data you have, then identifying sensitive data and information assets that require protection under the law. Ardent Privacy’s solution provides data risk assessments and automates mapping, identification, and inventory data assets. Ardent Privacy specializes in data minimization and secure disposal, eliminating excess data to reduce liability.
Ardent Privacy articles should not be considered as legal or technical advice on GDPR, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.