Privacy Shield is dead. Now what?

What’s happened?

Schrems strikes again. We’re all going to have to find new ways to protect transfers of data to the US – or stop doing it. The ECJ today invalidated the Privacy Shield framework that was cobbled together in 2015 after the ECJ struck down Safe Habour in response to the original lawsuit Max Schrems brought against Facebook. Once more it’s excessive US state surveillance that’s seen as the problem, which makes it harder for private companies to identify appropriate safeguards.

Importantly, although Standard Contractual Clauses were not entirely invalidated by the ECJ judgement, the Court ruled that they cannot be used to legitimise transfers to the US, or at least not in the context of service providers like Facebook. This is because the Court made clear that SCCs are not just about having the clause in an agreed contract; there must also be a provable ability to comply with the safeguards and constraints stipulated in the clauses.

“There can be no transfer of data to a country with forms of mass surveillance”.

Herwig Hoffman, one of the lawyers who presented the case to the ECJ

The Court effectively agreed, reminding the Irish DPC that it has a duty to act to enforce the GDPR, and that transfers to third countries without an adequacy decision require a review of the law in the third country to ensure that there are no risks to the rights and freedoms of data subjects (effectively Articles 7, 8 and 47).

This has very significant implications for Brexit, as noted in my previous blog post. The UK also has mass surveillance, in the form of the Investigatory Powers Act, and the implication is that not only is the UK unlikely to get an adequacy decision but also that EU supervisory authorities will come under pressure to restrict transfers to the UK after December 2020.

So what is to be done?

Multinational organisations and joint ventures can consider using Binding Corporate Rules (BCRs) to legitimise internal data transfers to the US, but only to parts of their own enterprise. BCRs are also complex to set up, especially in a joint venture or fractional ownership environment, and require entities to accept liability for litigation by data subjects. Critically BCRs have to be formally approved by the organisation’s local EU regulator, which may be difficult to achieve in this new context and will certainly introduce significant delay.

For basic commerce there is the possibility of relying on Article 49 derogations, but the Commission has been clear that these should not be used for repetitive transfers. Broadly this means that US websites can make occasional sales to EU/UK citizens on the basis of Article 49 and the need to fulfil a contract, but can’t provide ongoing services or routine data processing, particularly in bulk.

The very large US tech companies can probably – at some cost – segment their global processing to keep EU/UK citizen data geographically located within the EEA, although this may also reduce some of their service capabilities and impact revenue from e.g. advertising. Smaller organisations without EU/UK staff and locations are going to need to look for other solutions and, depending on the appetite for enforcement, there will inevitably be a chilling effect on transatlantic commerce just as we saw with the introduction of the GDPR in 2018 when a large number of US websites geofenced to exclude EU users to avoid potential GDPR liability.

Background detail

Adequacy decisions are made by the European Commission to indicate that countries outside the EEA have acceptable safeguards over the processing of personal data such that EEA controllers and processors can transfer information to them without additional restrictions. The following countries (now excluding the US) have adequacy: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Transfers on the basis of adequacy are also known as Article 45 transfers.

Max Schrems is an Austrian privacy activist who, with backing from privacy campaign groups, first took Facebook to the ECJ in 2015 in response to the Snowden revelations about PRISM – the US intelligence service programme to gain routine access to Facebook and other large social media networks’ activity data. The ECJ ruled that the existing adequacy arrangement, called “Safe Harbour”, was inadequate and therefore invalid. A replacement, called “Privacy Shield”, was hurriedly constructed – it added a registration mechanism overseen by the US Department of Justice and an independent ombudsperson to oversee complaints. Schrems immediately challenged Privacy Shield and the ECJ has today (16/07/2020) ruled that it’s invalid.

Standard Contractual Clauses (SCCs), also known as “model clauses”, are forms of contract intended to provide a legitimate basis for transfers to third countries (jurisidictions outside the EEA that do not have an adequacy decision). The full text of the current SCCs can be found at:

• Controller to controller: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915
• Controller to processor: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087

Binding Corporate Rules (BCRs) are internal binding contracts inside multinational companies and joint ventures that legally bind the organisation to implementing appropriate safeguards on international transfers to third country locations. They can only apply to the organisation itself, not its supply chain or business partners, and are famously time-consuming and difficult to implement. They have to be approved by the organisation’s local EU/UK regulator; this will of course introduce a significant delay if that workload becomes significant for already thinly-stretched supervisory authorities. The details of BCRs are here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en

Article 49 of the GDPR provides a mechanism for transfers to third countries without adequacy decisions, where neither Standard Contractual Clauses nor BCRs are in place. A small range of permitted transfers is available on the following bases:

• Consent (explicit and informed) – but note the requirement that processing activities are occasional and non-repetitive, so this won’t work for Facebook et al.
• Necessity for the performance of a contract – again only for incidental purposes like booking a hotel or a hire car, or buying something on-line, not for ongoing services like social networks or information services.
• There are also public interest, establishment of a legal defence and protection of the vital interest of the data subject where the data subject is unable to consent, but none of these is useful in a commercial context.

Article 7 of the Charter of Fundamental Rights establishes the right to privacy and family life; article 8 is the right to data protection; article 47 is the right to effective remedy at law.