ECJ rules EU-US Privacy Shield invalid
Last month (16th July), the European Court of Justice (ECJ) ruled the EU-US Privacy Shield invalid.
As a result, relying on the Privacy Shield to transfer EU citizens’ data to the United States is now illegal.
A brief history of EU/US privacy laws
To explain the EU-US Privacy Shield and its potential impact on businesses, we need to go back twenty-five years.
EU Directive 95/46/EC
The right to privacy for citizens inside the European Economic Area (“EEA”) area is more rigorous than in places outside of Europe.
Consequently, the EU Directive 95/46/EC came into force on the 13th December 1995 and forbid the transfer of personal data to a country outside the EEA unless that country has adequate data protection measures in place.
The Safe Harbor era
Introduced at the turn of the century, the ‘Safe Harbor Privacy Principles’ help US companies follow the EU Directive 95/46/EC. They allowed US companies to store data from EU companies in the United States without violating EU (and UK) data protection laws.
Companies who opted into the ‘Safe Harbor Privacy Principles’ had to register with the U.S. Department of Commerce and agree to a set of privacy principles approved by the European Commission in 2000.
After agreeing to the principles, an organisation needed to undertake a re-certification audit every year. The audit involved undertaking a self-assessment to verify that they comply with the principles.
Schrems I judgment
In 2015, the ECJ ruled the ‘Safe Harbor Privacy Principles’ were invalid.
Max Schrems, an Austrian citizen, filed a complaint with the Irish Data Protection Commissioner, asking them to prohibit Facebook from transferring his data to the US after Edward Snowden's NSA leaks showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe.
Initially, the complaint was rejected with the Commission finding that the US ensured an adequate level of protection.
However, the case was referred to the ECJ by the High Court in Ireland who, on 6 October 2015, declared the Commission’s decision invalid as it was established that US federal government agencies could use the data under US law, but were not required to opt-in to the principles.
Adoption of the EU-US Privacy Shield
Nine months later, the European Commission approved a replacement for the ‘Safe Harbor Privacy Principles’ (Decision 2016/1250), stating that the EU-US Privacy Shield provided adequate protection when transferring personal data out of the EEA to the United States.
The EU-US Privacy Shield Framework was designed by the U.S. Department of Commerce, and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
The framework was enacted on July 12, 2016.
General Data Protection Regulation (GDPR)
The GDPR became law in May 2018.
It replaced all data protection legislation in EU member states such as EU Directive 95/46/EC and the Data Protection Act 1998 (DPA) in the UK.
The regulation applies if the data controller or processor or the data subject is based in the EU. It also applies to organisations based outside the European Union if they process personal data of EU residents.
According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
The GDPR includes new and improved privacy rights for individuals within the EU, such as “the right to be forgotten”. It also stated there needs to be an adequate level of data protection applied to data transferred to third countries outside the EU.
Some third countries were certified by the EU as ‘adequate’ (via an ‘adequacy decision’) but others needed to provide appropriate safeguards, for example, by self-certifying with the EU-US Privacy Shield.
Schrems II case
The EU-US Privacy Shield included written assurances regarding access to data by US authorities.
Despite these commitments, it was felt the EU-US Privacy Shield was not robust enough to withstand future legal scrutiny by the ECJ, and so it proved to be when challenged by Max Schrems again.
He argued that US domestic law was incompatible with the GDPR, and enabled public authorities to access personal data for national security reasons once it was located in the US, resulting in limited data protection for EU citizens.
In July 2020, the ECJ invalidated Decision 2016/1250, declaring that EU-US Privacy Shield is no longer a legal way to transfer personal data outside of the EEA. The decision, they said, was taken because the risks to individual privacy arising from surveillance and law enforcement activities meant that GDPR requirements were not being met, despite previous safeguarding commitments.
What happens next?
This is undoubtedly a blow for the 5,371 US companies who signed up to the EU-US Privacy Shield. In a further setback, the European Data Protection Board (EDPB) has confirmed there will be no regulatory grace period meaning companies will need to act now to replace the EU-US Privacy Shield and remain compliant.
Fortunately, companies who self-certified before may have an option available to them to preserve transatlantic data flows.
Standard contractual clauses (SCC)
These companies will need to sign a legal contract with the EC (called ‘standard contractual clauses’ (SCC)) agreeing to match GDPR standards when transferring personal data from the EEA to third countries.
Since the announcement in July, Google has moved to SCC’s when transferring personal data from online advertising out of the EEA, Switzerland, and the UK.
Problems on the horizon?
Good news...but the ECJ outlined additional conditions for companies when transferring data using on SCC’s.
Ultimately, the Court shifted the emphasis onto companies; asking them to evaluate whether an adequate level of protection exists in the third country before the transfer takes place and whether the third countries’ laws are compatible with SCC and GDPR.
After the ruling, the reaction was less than favourable, most notably from the Hamburg Data Protection Authority who commented:
The decision of the ECJ to keep the Standard Contractual Clauses (SCC) as an appropriate instrument is not consistent. If the invalidity of the Privacy Shield is primarily based on the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between the data exporter and the importer are equally unsuitable for protecting those affected from state access.
Ultimately, the Hamburg Data Protection Authority is right.
For an SCC to be valid, the company must agree their government cannot have access to the data. However, no matter what they promise, their countries’ law will ALWAYS prevail and their public authorities WILL get access to the data if they decide it is necessary, which will break EU/UK data protection rules.
In the absence of an adequacy decision or alternative safeguards, Article 49 of the GDPR outlines several derogations for specific situations where data transfers are still permitted. One such situation enables companies to seek the explicit consent of data subjects for transfers to a third country or an international organisation.
In the future, it is highly likely replacement measures will be agreed to limit surveillance on the personal data of European citizens. Less than one month after the ruling, the U.S. Department of Commerce and the EU announced they have started talks to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework.
What does this mean for my organisation?
Activities like running clinical trials with OpenClinica, process automation with Pega BPM, optimising workflows with KiSSFLOW, or using Survey Monkey for data capture were all facilitated by the EU-US Privacy Shield.
As the Privacy Shield is invalid, it means you are risking a fine from the Information Commissioner’s Office (ICO) if you are using these products and the company has not implemented alternative safeguards (e.g. SCC) to protect any customer, patient, or employee data stored on servers in the USA.
Data localisation
A possible solution is data localisation, where data is processed and stored on servers located in the EU as opposed to the US.
Indeed, some US businesses have started to invest in EU data centres with Survey Monkey opening a site in Ireland in May 2019. However, at the time of writing, Survey Monkey still says most European customer data lives on servers in the US. Moreover, it is yet to be proven that data residing on a server physically located in the EU is legal if the company managing the data is subject to third county law enforcement and surveillance activities.
Similarly, a growing number of EU companies have decided to keep their data on the continent by using services owned and operated within the EU.
The impact of Brexit!
A further complication for UK businesses is Brexit. The UK left the European Union on 31 January 2020 and is now a third country to the EU.
With the transition period due ending on 31 December 2020, the UK is seeking an Adequacy decision that will permit data to move between the EU and the UK post-Brexit.
However, according to a policy paper issued by the UCL European Institute, any decision is likely to face many legal challenges that could take years to resolve and an ongoing threat of ECJ invalidation.
So, a repeat of the EU/US legal limbo then!
Conclusion
Needless to say, the situation is complex and compliance with necessary regulations is far from guaranteed. It is also fast-moving with SCC transfers under scrutiny and the EDPB announcing it will support the European Commission in building a new framework with the US.
In our view, this level of uncertainty means you cannot rely on US-based (or non-EU) data centres, or any company under the jurisdiction of US authorities with EU data centres, for data protection and privacy.
At the same time, the Brexit decision means the UK is likely to face obstacles over the next decade with EU-UK data flows. And some companies including Google have already announced plans to move UK users’ data from the EU to the US to avoid complications arising from a no-deal Brexit. Other software providers will likely follow.
In the short-term, our advice is to ask your suppliers if they are reliant on the EU-US Privacy Shield and request the implementation of new safeguards if they confirm they are dependent on the mechanism.
At the heart of the problem is the US legal system which gives absolute power to the law enforcement authorities whereas the EU/UK does not. Consequently, we have seen several ‘solutions’ to the problem created, often over years of painful negotiations, only to fall at the first legal challenge.
To conclude, unless the US change their system, they will never truly satisfy EU or British legal requirements. For this reason, we would strongly advise against moving data and services outside the EU and, with Brexit in progress, even outside the UK.