“And now,” cried Max, “let the wild rumpus start!”
The famous line from Maurice Sendak’s “Where the Wild Things Are” seems appropriate in the wake of the latest ruling in Max Schrems’s ongoing privacy battle with Facebook.
The July 16 judgment from the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, a popular mechanism for transferring personal data from the EU to the U.S., and imposed new obligations on those who transfer data from the EU via specific contractual language (known as standard contractual clauses, or SCCs).
With one transfer method invalidated and another encumbered with new criteria, compliance counsel and privacy professionals have probably—and quite justifiably—"roared their terrible roars” and “gnashed their terrible teeth,” resembling the Wild Things in Sendak’s book.
A wild rumpus, indeed!
Just as Sendak’s Max “made mischief of one kind … and another,” some would say that Max Schrems has made his own double trouble, too.
Schrems’s original complaint arose from Edward Snowden’s 2013 revelations about the U.S. government’s PRISM surveillance program, which permitted the National Security Agency to target non-U.S. citizens for foreign intelligence purposes.
Schrems, an Austrian citizen, claimed that Facebook Ireland—which is the entity through which Facebook operates in Europe—was transferring his data to Facebook’s servers in the U.S. That transfer, he argued, therefore made his personal data subject to surveillance by the NSA in violation of his fundamental rights under EU law.
In 2015, the CJEU issued its first decision in the case (i.e., Schrems I), which invalidated the precursor to the Privacy Shield—the so-called Safe Harbor—which had been in use since 2000.
In 2016, the U.S. and EU crafted the Privacy Shield Framework as a replacement mechanism, but that framework has now suffered the same fate as its predecessor, thanks to the July 16th decision, known as Schrems II.
The demise of the Privacy Shield is somewhat surprising because the second challenge had primarily focused on Facebook’s reliance on SCCs. Although SCCs survived the challenge, they did not survive unscathed.
Unlike the Privacy Shield, which was limited to transfers from the EU to the U.S., SCCs have been used for transfers from the EU to so-called “third countries” across the globe. By copying and pasting these European Commission-approved clauses into contracts, companies have been able to transfer personal data from the EU without incident.
After Schrems II, however, copying and pasting alone will not suffice. Companies seeking to rely on SCCs will need to evaluate “on a case-by-case basis” whether the law of the third country “ensures adequate protection.” If it doesn’t, companies must provide “additional safeguards” to those offered by the clauses themselves.
Cue the Wild Rumpus
While no “magic trick” yet exists to replace the Privacy Shield or to facilitate what amounts to individualized risk assessments anytime SCCs are used, the following questions and answers should help clarify what’s at stake and (hopefully) provide an action plan for next steps.
What kind of data is at issue?
“Personal data” of “data subjects” in the EU, as defined by the General Data Protection Regulation (GDPR Art. 4(1)).
What transfers are at issue?
Transfers of personal data from the European Economic Area (EEA)—which comprises Iceland, Lichtenstein, Norway, and the 27 countries of the EU—to any other country, except for the dozen that have received an “adequacy determination” from the European Commission: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
Does the ruling affect only companies exporting personal data from the EU?
No, it affects both data exporters (data controllers in the EU) and data importers (data processors in a third country).
What does “adequacy” mean?
A level of protection “essentially equivalent” to that guaranteed within the EU.
Doesn’t the U.S. ensure an adequate level of protection?
According to Schrems II, no.
Specifically, the judgment states that the CJEU “harbours doubts as to whether US law in fact ensures the adequate level of protection required under Article 45 of the GDPR, read in the light of the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter [of Fundamental Rights].”
It’s probably safe to say that “harbours doubts” amounts to a “no.”
Anna Pateraki, a senior associate in the Brussels office of Hunton Andrews Kurth, agrees. “The CJEU established that U.S. laws do not provide an adequate level of protection because of the possibility of bulk surveillance by intelligence services in certain cases. In essence, this means that global organizations with operations in the U.S. are presumably at risk for EU data transfers and need to mitigate that risk or, alternatively, they should be able to demonstrate that such risk does not apply to their operations.”
Indeed, an argument could be made that Section 702 of the Foreign Intelligence Surveillance Act, 50 U.S.C. § 1881a, would apply only if the data importer is an “electronic communication service provider.” So data transfers to businesses that do not fall within that definition arguably would not raise surveillance concerns.
Still, even if a business were to overcome that hurdle, it would need to show how data subjects are also afforded an effective means of judicial redress.
Does that mean that data transfers cannot be made to the U.S.?
Schrems II clearly held that companies cannot rely on the Privacy Shield. While SCCs are still a valid transfer mechanism, as are binding corporate rules (BCRs), Pateraki notes that “SCCs may not always be sufficient, requiring a case-by-case assessment of adequacy prior to the transfer following the judgment.”
She concludes that data transfers can be made to the U.S. post-Schrems II, “but it is a task requiring enhanced accountability, including thoughtful implementation, documentation, and monitoring.”
The European Data Protection Board (EDPB) has extended that accountability to BCRs as well as SCCs. As indicated in its FAQ guidance released July 23, companies must make case-by-case assessments for both BCRs and SCCs, “taking into account the circumstances of the transfers, and supplementary measures you could put in place.”
And of course, companies can also make use of the derogations listed under GDPR Art. 49 to make transfers to the U.S.
Wait a minute! Case-by-case assessments are required for BCRs, too?
Yes, according to the EDPB’s FAQs.
(Resume roaring terrible roars and gnashing terrible teeth. Even though the CJEU did not address BCRs in Schrems II, the EDPB has apparently been bombarded with questions about BCRs “frequently.”)
What are derogations?
Derogations under GDPR Art. 49 are limited exemptions permitting cross-border data transfers in the absence of an adequacy decision, BCRs, or SCCs. Examples include very specific situations, such as where a data subject has granted explicit consent to the proposed transfer after having been informed of the possible risks of the transfer.
For situations not fitting within one of the specific exemptions, a catch-all applies, but “only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.”
Suffice it to say that GDPR Art. 49 is not a silver bullet.
Can Privacy Shield obligations be ignored?
No. The U.S. Department of Commerce issued a press release July 16 indicating that it will continue to administer the Privacy Shield program and that the CJEU’s judgment does not relieve participating organizations of their Privacy Shield obligations.
What immediate first steps should be taken?
If any data transfers are based solely on the Privacy Shield, consider transitioning them to SCCs now. There is no grace period. Transfers on the basis of the Privacy Shield are illegal.
But aren’t new SCCs forthcoming?
Yes, the European Commission is expected update the SCCs, but the Commission has not yet released the new text. So use what’s available and amend later.
What about the case-by-case assessment?
Admittedly, any “case-by-case” evaluation of whether a given country’s law “ensures adequate protection” will not be practical for even the most sophisticated of organizations. Such an evaluation amounts to a case-specific adequacy decision, and the European Commission itself takes years before issuing adequacy decisions.
That said, the EDPB’s FAQs advise companies to make assessments nonetheless. Really. No joke.
Hunton’s Pateraki is not amused. “It is unclear how organizations can be expected to make transfer adequacy assessments. The CJEU put the burden of this exercise on companies, but how can a company review and assess the adequacy of the different legal regimes in the recipient jurisdictions?”
The key, apparently, is in the undefined and unspecified “supplementary measures.” But there’s no need to fret, as the EDPB “is looking further into what these supplementary measures could consist of and will provide more guidance.”
In the meantime, try “staring into all their yellow eyes without blinking once.” Hey, it worked for Max.
Data Transfer Options ‘From Far Away Across the World’
Data localization is one option. Keeping data within the EU or exporting it only to countries deemed “adequate” by the Commission should ensure that data transfers pass muster. But then again, data localization may not be a “practical” option in many circumstances.
As mentioned above, the derogations set forth in GDPR Art. 49 are options as well, but they are very limited in scope and not practical for routine transfers.
SCCs and BCRs are still valid options, but they must be supplemented with an assessment to ensure that the law of the third county offers a level of protection “essentially equivalent” to the GDPR. If the assessment comes up short and additional contractual measures fail to set things right, the transfer must be halted.
Anna Pateraki suggests as a first step that organizations should review internal and external data transfers from the EU, as well as any applicable legal requirements in the third country that allow public authorities to interfere with the rights of EU data subjects.
“For example,” Pateraki says, “are public authorities authorized by local law to access EU personal data stored in the recipient’s jurisdiction? If yes, is the data recipient able to limit such access technically or by implementing proportionality and necessity safeguards for such access? These are difficult questions.”
So for now, review existing data transfers with an eye toward identifying “appropriate safeguards,” such as mandating the use of encryption and/or requiring data importers to file transparency reports. Be sure to document the assessment and brief senior management on any recommendations.
While final resolution of this issue may last “through night and day and in and out of weeks and almost over a year,” one thing is certain: Max will continue to “make mischief.”
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.