Privacy Shield is down, and the highest European court has thrown major doubt on the legitimacy of the next most popular method for transfers of personal data to the US.  Responses from regulators range from the UK’s ‘Keep calm and carry on’ to the Berlin DPA’s ‘Take your data out of the US now’ message.

This is huge!  There’s lots for Privacy specialists and academics here.  But we’re going to set out what happened, and the practical impact, in plain language.

And stick around as we’ll set out strategies and 5 Action Points to move forward while we wait for updated guidance from authorities.

Privacy Shield is Down!  What it means, and 5 Action Points

You can also watch our free video  ‘Privacy Shield is Down’, which is part of Privacy Kitchen – video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

OK!  So, first, if you’re not sure what a Transfer is, pause this here, go and see our video: ‘What’s a Transfer for GDPR?‘.

Schrems II Decision

So, the big news: on 16 July 2020, was that Privacy Shield was invalidated in a case called Schrems II.  In a move that was reasonably predictable, the top court in Europe declared that Privacy Shield did not actually provide equivalent protection, so the adequacy decision for Privacy Shield was invalid.

Therefore, as from 16 July 2020 Privacy Shield is dead in terms of GDPR.  The Court decided not to put a transitional period in place.  So what do organisations do now?

UK ICO

Now if you’re in the UK, the UK ICO has released a statement that they’re reviewing their guidance in light of the court case, but to continue using Privacy Shield if you are already – but not to start if you aren’t already.

So this is our 1st Action Point: decide if you’re following the UK ICO’s advice – it would be hard for them to bring enforcement proceedings for following their own advice – and many organisations are adopting this ‘wait and see’ approach anyway, to see if a new adequacy decision can be rapidly achieved.

But if you’re not comfortable with that – and it is technically a breach of GDPR – what do you do now?

Pass Art 45, go straight to Art 46

Well, GDPR itself says that, if there’s no adequacy decision under Article 45, then you look to an ‘appropriate safeguard’ under Article 46.

This is our 2nd Action Point: look at your data map, identify which activities have transfers to the USA and which of those transfers rely on Privacy Shield, SCCs or another basis.  Keep that list handy!

Now, Standard Contractual Clauses.  We’ve seen that you first look at Article 45 and only move to Article 46 if there’s no adequacy decision.  So that’s what we’ll do now.

Standard Contractual Clauses

Article 46 gives a short list of ‘appropriate safeguards’, the most common and popular of which is Standard Contractual Clauses or SSCs.

Happily, the Court decided that SCCs are still a valid mechanism, and the existing versions, which desperately need updating, are good to use.

This is great! And this is our 3rd Action Point: if you’re not following the UK ICO guidance or you’re looking for new transfers to the US, take your list of transfers to the US and look to see where SCCs can be put in place.

Now, in practice, most US cloud providers have a GDPR-compliant Data Processing Addendum or DPA.  It’s in their terms.  It’s on their website.  You can sign it at will.  I’d recommend doing that now, get them in place ASAP.  At least you’ve taken an action to plug the gap with a valid mechanism and you can carry on with your review, which we’ll look at now.

Your SCC Review Obligations

Because the Court decided that you – yes, you, the organisation that’s subject to GDPR wanting to use the SCCs – you need to check that they work in your particular case by reviewing the context of the transfer, including the laws of the country you are exporting to, and their surveillance laws, for example, and decide if supplemental measures are needed.

This isn’t just about the US – it’s about any country: Russia, China, etc.   But let’s just leave those to the side for the moment!

So, this is our 4th Action Point: if you’re looking to use SCCs for the US, then you need to do that review. in summary for the USA, which is the focus here, the key surveillance law in question, which is Section 702 FISA, applies to:

• a ‘telecoms carrier’ which is pretty clear,
• a ‘provider of electronic communication services’ which at the minimum catches email and messaging services,
• it applies to a provider of a ‘remote computing service’ which catches AWS, Google, Microsoft, Facebook, etc, and
• any other ‘communications service providers’ who get access to communications when transmitted or stored, and
• their employees, officers and agents.

So if you use G-Suite, Office 365, AWS, Azure, Salesforce.com, HubSpot and other cloud services, your starting point is SCCs on their own are unlikely to work – you need to add supplemental measures.  Now, if the recipient doesn’t fall into those categories, does it use them in their own supply chain?  If yes, it’s still a problem.

If the recipient isn’t one of these companies, and they don’t use them in their own supply chain, you’re potentially good to use SCCs as they stand.

There’s an excellent IAPP webinar with Max Schrems himself and Eduardo Ustaran, which includes a discussion on this, the link’s below – we recommend you watch it.

So how’re you doing? Are you feeling like relying on the UK ICO guidance yet?

Okay, let’s continue.

Supplemental Measures

So, on supplemental measures, the day after Schrems II the European Data Protection Board, the body of EEA Regulators, helpfully said that they’re looking further into what those additional measures could consist of. … Right.

Now, at present, no one really knows what measures will be accepted or appropriate. Contenders, though, that you might look at, are:

• encrypt your data before it leaves the EEA;
• otherwise disable access by recipients in the USA; or
• don’t store outside the EEA and only allow those outside the EEA to view with no download access.

Of course, if you store your data in the EEA and it’s never transferred, so there’s no access from outside the EEA, you don’t need to worry… or do you, because if you have a cloud provider in the EEA that’s the European arm of a US entity, that may be a problem, but let’s deal with what’s in front of us now and leave that for later!

This all highlights the need to have thought about this – if possible, have supplemental measures you can point to that, you argue make the SCCs a valid route.

Binding Corporate Rules

Article 46 also includes Binding Corporate Rules.  These are great, but they’re very rarely used.  Across Europe, there are only 140 approved before GDPR and only five in the two years since.  They can take up to two years to put in place.  They’re expensive and time consuming.

So, while they’re fantastic, they’re statistically, and practically, irrelevant for now.

So, let’s just round up where we got to:

• Privacy Shield is no longer valid as a transfer mechanism to the USA under Article 45.
• So, you move on to Article 46, and probably SCCs, which still work in theory – but, you need to review the context of the transfer and the law of the third country – not just the US, any third country – and decide if you need supplemental measures.

If you don’t follow the UK ICO’s advice, and you can’t make SCCs work for your transfer, is there anything else that can be done to help you transfer to the US? Yes, but it’s very limited.

Article 49 – the last resort

Our 5th Action Point is to see if any derogations in Article 49 work for you.  The Court left Article 49 alone.  In fact, it said it was the reason it saw no need for a transition period, which is a very punchy statement indeed, and here’s why.

The EDPB’s Guidance on Article 49 makes clear it’s the last resort.  They state that these derogations are only for use when Articles 45 and 46 aren’t of use.  The derogations are just that, and must be interpreted restrictively so that the exception does not become the rule.

Now, for most organisations, the only grounds in Article 49 you’re likely to be looking at are the first 3 and if you’re public sector, these derogations can’t apply to activities carried out by public authorities in the exercise of their public powers.

• No 1 is explicit consent to the proposed transfer after the data subject’s been told about the possible risks of transfers for them due to the absence of an adequacy decision and appropriate safeguards.
• No 2 is necessary for the performance of a contract between the data subject and the controller, or implementation of pre-contractual measures at the data subject’s request. Note the word ‘necessary’.
• And No 3 is close to No 2. It’s necessary for the conclusion or performance of a contract concluded in the interests of the data subject.

Now the EDPB states that explicit consent has to be to the particular transfer.  This suggests it has to be a separate consent, all on its own.  And they note that GDPR’s Recital 111 says that the contract basis not only has to be ‘necessary’, but also ‘occasional’.

So, not exactly the wealth of opportunity the Court seemed to suggest!

More change to come!

So there we go, the practical impact of Schrems II – for now!  Do keep an eye out for updated advice from authorities – it’s changing rapidly.

But we have been able to set out a pathway of 5 Action Points to explore for transfers to the USA.  Please do look at our other Privacy Kitchen videos like ‘What is a Transfer for GDPR?’

Stay well in the meantime, and see you soon in Privacy Kitchen!

Links

Max Schrems NOYB website

NOYB FAQs

NOYB FAQs for organisations

CJEU Schrems II Press Release 2020

CJEU Schrems II Judgement 2020

Ireland’s DPC on Schrems II

UK ICO on Schrems II

EDPB on Schrems II

European Commission on Schrems II

Spain’s AEPD on Schrems II

IAPP webinar with Max Schrems and Eduardo Ustaran

IAPP page with DPA reactions

EDPB on Article 49 Derogations

EDPS on Schrems II

Berlin DPA on Schrems II

Dept of Commerce on Schrems II

S702 FISA

US Director of National Intelligence Paper on FISA 702

Brennan Centre on 702 FISA, EO 12333 and s215 Patriot Act

Electronic Privacy Information Centre on FISA

CJEU Schrems I Press Release 2015

CJEU Schrems I Judgement 2015