On July 7, 2020, the EU/US Privacy Shield was deemed invalid by the Court of Justice of the European Union (CJEU) as part of its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems. In the simplest possible terms, this means that the transfer of European Personally Identifiable Information (PII), or data from which any specific European citizen can be identified, to the US is now illegal. It also means that around 60% of the companies transferring data out of the EU are breaking the law as we speak. But what was the Privacy Shield for, what does the fact that it no longer exists mean in practice to marketers, and what steps can companies take to ensure they stay on the right side of the law?
What was it?
The EU-US Privacy Shield was a legal framework agreed by the US Department of Commerce, the European Commission and the Swiss Administration, which provided a mechanism to help companies comply with data protection regulations when transferring PII from Switzerland and Europe to the United States. It was specifically designed to facilitate compliance with the General Data Protection Regulation (GDPR), a law adopted by the European Parliament in 2016 (although it didn’t come into force until 2018) that governs the processing of the personal information of individuals (data subjects) who are located in the EU and EEA areas, including the transfer of that data outside of these countries.
The Privacy Shield actually replaced a 2000 law, called Safe Harbor, which was designed to offer support for the safe transfer of EU and EEA data in the wake of the Patriot Act, a North American law giving the Federal Government and its representatives the right to access any data stored on US shores, without a warrant, post 9/11.
Why was the Privacy Shield needed?
Both Safe Harbor and the Privacy Shield existed to address the fundamental difference between the stateside view of data sovereignty, or who actually owns personal data, and the one held in Europe. In a nutshell, European law grants data ownership to the individual under the ‘right to privacy’ established by the European Convention of Human Rights, so your communications are considered private and your PII belongs to you. In the United States however, personal data is seen as belonging to the state, with protection of the state being considered much more important than protection of the individual.
Privacy is technically governed at state level, hence the California Consumer Privacy Act grants much more stringent rights of privacy to its citizens, but even laws such as that one are overruled by Federal laws. The 2001 USA Patriot Act, designed as a piece anti-terrorism legislation, gives US law enforcement bodies sweeping surveillance and investigative powers that mean that no piece of data stored on US soil is out of bounds to enforcement officers.
So, the aim of the Privacy Shield was to promote transatlantic commerce by offering data handlers and data subjects alike a level of protection and the right to redress in the event of a data breach. It was used to bridge the differences between Europe and the US, and the legal protection offered to companies who signed up to it justified their authorization of transatlantic European PII transfers.
Why was it invalidated?
Ultimately, the protection it offered was deemed to be ‘inadequate’ under European law. GDPR, and before it the Data Protection Act 1998, guarantees an ‘adequate level of protection’ of the privacy of the data subjects it governs. EU member states are automatically classed as meeting the requirements for adequacy, while countries like Switzerland that are part of the European Economic Area (EEA) have to meet adequacy as a condition of membership, but other countries must be assessed by the EC for ‘adequacy’. If they are deemed not to meet the accepted standards, EU countries must abide by that ruling and cease transferring data to those countries. A key element in the decision-making is whether or not a country has a legal framework that promotes the privacy of the individual.
So, why were the US privacy safeguards deemed ‘inadequate’? After the CJEU had declared the Safe Harbor framework to be ‘adequate’ for protecting the data of EU citizens in mid-2000, the 9/11 attacks happened in September 2001. As previously mentioned, the USA Patriot Act, signed into law in October 2001, aimed to make it easier for the government to monitor the activities of ordinary Americans and seize their data in the name of national security. Despite this fact, there were no great worries for the data of European citizens – until Edward Snowden burst onto the international stage.
In June 2013, leaks generated by Snowden revealed the fact that the NSA was tapping into the servers of nine major internet firms, including Facebook, Google, Microsoft and Yahoo, to sift through the data they stored. Murmurs about the validity of Safe Harbor began within the EU Commission the month after this revelation, then in 2013 Maximillian Schrems, an Austrian privacy activist, lodged a formal complaint with the Irish Data Protection Commission, arguing that the Snowden scandal plainly showed that the US’ protection of European data was not ‘adequate’. The Irish authorities agreed, and in 2015 his case reached the Court of Justice of the European Union. The Safe Guard Agreement was indeed ruled to be invalid.
That wasn’t the end of it though, because although the EU and the US developed a new data management agreement in 2016 in light of this ruling, the Privacy Shield, less than a month after its launch 27 civil rights organizations were already questioning its validity. Schrems, meanwhile, immediately brought a new case challenging the robustness of the framework. As a consequence, the EU-US Privacy Shield was invalidated in July, as part of the ruling in Schrems’ case.
What does this mean for marketers?
In August 10, the US Department of Commerce and the European Commission announced that they were discussing a fresh legislation framework, an “enhanced EU-US Privacy Shield”, to comply with the Court of Justice’s ruling. However, right now there is no governing framework, which means that companies who choose to transfer the PII of European citizens to the US are breaking the law. Initially, the Information Commissioner’s Office (ICO) granted a transition period, saying that companies operating under the Privacy Shield should carry on with ‘business as usual’, but that statement has now been removed – which means there is no transition period, and technically companies transferring data stateside are breaking the law right now. Worst still, the company receiving the data stateside won’t be classed as liable. The European company, the one actually governed by European law, will bear the brunt of any punishment.
Of course, in practice, the ICO is unlikely to go after businesses breaching this law quite yet. For a start, there are so many businesses in breach of data protection laws, many of whom are under contract with US data management firms or have colleagues they collaborate with in the US. It might be possible for companies to get out of existing contracts with US data processors by activating Force Majeure Clauses and Data Processing Agreements, but there’s probably no need. However, once those contracts run out and big corporations start to separate their EU and US data flows, it will be time for companies signed up to the Privacy Shield to put definite plans in place to ensure their compliance.
What sort of action can they take?
The first step is to look into existing frameworks that they could use instead of the Privacy Shield. For corporations with offices in Switzerland, the obvious solution is to henceforth transfer data to the US only from this office, since the Swiss-US Privacy Shield Framework (which is nearly identical to the EU-US Privacy Shield Framework) is still certified as valid. Of course, being so similar, it may at some point be invalidated itself, but no moves in this direction have been made thus far.
At the same time as the EU-US Privacy Shield was ruled to be invalid, the Court of Justice ruled the EU Commission’s Standard Contractual Clauses (SCCs), which the International Association of Privacy professionals says 80% of companies transferring data out of the EU currently rely on, to be an ‘adequate’ mechanism for transferring EU PII to the US. This legal framework has remained unchanged since 2010, and isn’t something that can be tailored to suit a certain business – it’s a list of rules and regulations that the data exporter and importer must sign and agree to abide by fully. If any aspect of the wording is changed, the framework is rendered invalid.
One hitch in the plan of reliance on an SCC is that, while declaring SCCs to be valid, the Court of Justice laid the onus at the door of the exporting data controller to verify that the agreement can provide effective protection when the laws of the importing country are taken into account. That means the exporter is expected to verify the adequacy of the country’s data protection laws, which in the case of the US, have already been classified as invalid. Thus, SCC agreements are likely to be subjected to increasing scrutiny in the future. One possible solution is to employ an independent third party to verify the validity of individual agreements, which helps to decrease the risk for everyone involved and demonstrates a willingness to take data protection risks seriously.
Of course, there are two even more reliable methods of ensuring compliant data transfer. One is to ask each and every data subject for their consent to transfer data to the US – something that of course will take time and resources, and might result in significant database shrinkage (since many people aren’t keen on their data being shared and will refuse to give consent). The other is simple: don’t transfer European data outside of Europe. If your company is multinational, ensure that European data is solely handled by European data centres. That means creating a completely separate operating system for the European office, with not so much as administrative access granted to a single US employee. The minute a North American employee has access to European PII, so does the Federal Government.
What does the future hold for EU/US data transfer?
The fact is, it is in the financial interest of both the EU member states and the US to ensure that legal frameworks for data sharing are in place. But, until the US enshrines the right to privacy within its constitution, the CJEU is likely to keep scrapping potential frameworks due to the fundamental incompatibility of the two regions’ attitudes to personal information.
So, the best thing European companies can do is to keep their eyes and ears open with regards to rules changes and ‘best in class’ coping mechanisms, and do everything in their power to ensure their data handling complies with that most stringent of laws, GDPR. Even when the UK leaves the EU, the government has pledged to continue with, and if anything strengthen, the regime dictated by that law. Multi-national corporations should look into setting up self-contained data handling units on both sides of the Atlantic, and ensure they keep meticulous records of data usage and access.
Here at BlueVenn, over the past few months we’ve noticed that more European-based organizations have been keen to discuss their Customer Data Platform projects only with other European-based organizations, with a view to creating a unified customer database that resides within the EU and is supported solely by EU-based employees. It is too soon to tell if this will become a growing trend with international companies, but for now, this course of action is deemed the only safe one for brands looking to ensure the legality of their technology investments during a period of limbo.