European Court declares U.S. Privacy Shield invalid
The decision on 16th July by the Court of Justice of the European Union (CJEU), in the case of European Commission v Facebook (commonly known as Schrems II after Max Schrems who instigated the case) to declare the United States Privacy Shield invalid, could have significant implications for UK businesses who transfer data to the U.S.
The court’s decision effectively means that businesses should discontinue transferring personal data to the companies in the U.S., under the Privacy Shield mechanism - for example UK personal data being held in U.S. data centres, or the use of U.S. based software packages etc., unless they have an alternative mechanism in place that is deemed adequate. The common alternative to Privacy Shield is the use of Standard Contractual Clauses or SCC’s (sometimes referred to as Model Clauses) which have been approved by the EU Commission and/or the local Data Protection Authority (in our case the ICO). The court decision confirmed that SCC’s are still valid, but in doing so created something of a dilemma.
There were two main reasons why the CJEU ruled against Privacy Shield, the first being that U.S. government access to personal data is not limited to what is “strictly necessary and proportionate” so does not meet the requirements of Article 52 of the European Charter on Fundamental Rights. This is primarily due to powers under Section 702 of the Foreign Intelligence Surveillance Act (FISA) but also a couple of other U.S. regulations. The second concerns the fact that there is insufficient legal recourse in the U.S. for data subjects and that the Ombudsman process "does not provide data subjects with any cause of action before a body which offers guarantees", the Ombudsman being “neither empowered or independent”. This contravenes Article 47 of the Charter.
The dilemma for companies now is that the CJEU, whilst confirming that SSC’s remain valid, imposed a responsibility on companies (and to an extent the supervisory authority) to ensure on a case-by-case basis, that “supplementary measures and additional safeguards” are used where necessary to ensure an adequate level of protection. There is a clear indication in the court’s decision that this adequate level of protection can only be achieved if one can overcome the above reasons for outlawing Privacy Shield i.e. government surveillance and legal redress. The court ruled that companies in the EU must assess the level of protection afforded “as regards any access by the public authorities of that third country to the personal data transferred (and) the relevant aspects of the legal system of that third country.” This could prove difficult, and whilst mechanisms such as encryption might be considered, do we really know what would happen if U.S. or other government authorities were to demand access to the data?
Because of course this decision as regards SCC’s could have implications not only in respect of data transfers to the U.S. but also transfers to other third countries where no EU adequacy decision exists. Companies will now have to look more closely at whether other government surveillance or legal redress could render SCC’s insufficient to permit transfers.
So what about Brexit? The ICO has so far remained quiet other than to release a brief statement saying “The ICO is considering the judgement from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” However in a later post they advised companies that are currently exporting personal data on the back of Privacy Shield to continue to do so pending further advice, but that companies should not set up any new arrangements under Privacy Shield.
Once we are fully extracted from the EU we will become a ‘third country’ and thus a spotlight is likely to be shone on our own government surveillance, and this could have an effect not only on SCC’s but also on the EU’s attitude towards awarding an adequacy decision to the U.K.
What should companies do right now if they currently rely on Privacy Shield for transfers to the U.S. ? It's a good question and in fact it's a question I posed to Max Schrems himself as well as the Irish DPC Helen Dixon, and the fact is there is no simple answer. Clearly the safest bet would be to stop exporting data to the U.S. and look for local hosting within the U.K. , use loclaly based SaaS services, or at least within the EEA. One could await further guidance from the ICO which seems sensible. Alternatively, one could move to SCC's, and where possible carry out whatever due diligence you can - because at least SCC's are valid in principle, and I feel it is better to be using a mechanism that is valid in principle, rather than one that has been squarely invalidated by Europe's highest court.
The European Data Protection Board (EDPB) has released a statement which roundly supports the court's decision and underlines the need to meet the requirements detailed in Article 45 (2) of the GDPR in order to ensure that data is only exported to countries with adequate protection. The CJEU imposes a duty on exporters and importers of personal data to make an assessment of safeguards and where necessary ensure additional safeguards are put in place. The EDPB says "If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection (i.e. to Article 45 (2)), the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."
The plain fact is that the measures detailed as being a requirement under Article 45 (2) of the GDPR include the very issues which led to the decision to invalidate Privacy Shield and the requirement to add additional safeguards to SCC's. In other words, strictly speaking, exporters of data to the U.S. must put in place safeguards to ensure that U.S. government surveillance is only used where necessary and proportionate, and that the Ombudsman service is overhauled and legal redress issues are addressed - quite a challenge for the average UK SME to overcome! In reality this can only be achieved if the U.S. government makes changes to their own policies, or the EU can come up with a compromise..
More to follow, methinks….
Nick Richards CIPP/E