Privacy Shield is down, and the highest European court has thrown major doubt on the legitimacy of the next most popular method for transfers of personal data to the US. Responses from regulators range from the UK’s ‘Keep calm and carry on’ to the Berlin DPA’s ‘Take your data out of the US now’ message.
This is huge! There’s lots for Privacy specialists and academics here. But we’re going to set out what happened, and the practical impact, in plain language.
And stick around as we’ll set out strategies and 5 Action Points to move forward while we wait for updated guidance from authorities.
You can also watch our free video ‘Privacy Shield is Down’, which is part of Privacy Kitchen – video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
OK! So, first, if you’re not sure what a Transfer is, pause this here, go and see our video: ‘What’s a Transfer for GDPR?‘.
So, the big news: on 16 July 2020, was that Privacy Shield was invalidated in a case called Schrems II. In a move that was reasonably predictable, the top court in Europe declared that Privacy Shield did not actually provide equivalent protection, so the adequacy decision for Privacy Shield was invalid.
Therefore, as from 16 July 2020 Privacy Shield is dead in terms of GDPR. The Court decided not to put a transitional period in place. So what do organisations do now?
Now if you’re in the UK, the UK ICO has released a statement that they’re reviewing their guidance in light of the court case, but to continue using Privacy Shield if you are already – but not to start if you aren’t already.
So this is our 1st Action Point: decide if you’re following the UK ICO’s advice – it would be hard for them to bring enforcement proceedings for following their own advice – and many organisations are adopting this ‘wait and see’ approach anyway, to see if a new adequacy decision can be rapidly achieved.
But if you’re not comfortable with that – and it is technically a breach of GDPR – what do you do now?
Well, GDPR itself says that, if there’s no adequacy decision under Article 45, then you look to an ‘appropriate safeguard’ under Article 46.
This is our 2nd Action Point: look at your data map, identify which activities have transfers to the USA and which of those transfers rely on Privacy Shield, SCCs or another basis. Keep that list handy!
Now, Standard Contractual Clauses. We’ve seen that you first look at Article 45 and only move to Article 46 if there’s no adequacy decision. So that’s what we’ll do now.
Article 46 gives a short list of ‘appropriate safeguards’, the most common and popular of which is Standard Contractual Clauses or SSCs.
Happily, the Court decided that SCCs are still a valid mechanism, and the existing versions, which desperately need updating, are good to use.
This is great! And this is our 3rd Action Point: if you’re not following the UK ICO guidance or you’re looking for new transfers to the US, take your list of transfers to the US and look to see where SCCs can be put in place.
Now, in practice, most US cloud providers have a GDPR-compliant Data Processing Addendum or DPA. It’s in their terms. It’s on their website. You can sign it at will. I’d recommend doing that now, get them in place ASAP. At least you’ve taken an action to plug the gap with a valid mechanism and you can carry on with your review, which we’ll look at now.
Because the Court decided that you – yes, you, the organisation that’s subject to GDPR wanting to use the SCCs – you need to check that they work in your particular case by reviewing the context of the transfer, including the laws of the country you are exporting to, and their surveillance laws, for example, and decide if supplemental measures are needed.
This isn’t just about the US – it’s about any country: Russia, China, etc. But let’s just leave those to the side for the moment!
So, this is our 4th Action Point: if you’re looking to use SCCs for the US, then you need to do that review. in summary for the USA, which is the focus here, the key surveillance law in question, which is Section 702 FISA, applies to:
So if you use G-Suite, Office 365, AWS, Azure, Salesforce.com, HubSpot and other cloud services, your starting point is SCCs on their own are unlikely to work – you need to add supplemental measures. Now, if the recipient doesn’t fall into those categories, does it use them in their own supply chain? If yes, it’s still a problem.
If the recipient isn’t one of these companies, and they don’t use them in their own supply chain, you’re potentially good to use SCCs as they stand.
There’s an excellent IAPP webinar with Max Schrems himself and Eduardo Ustaran, which includes a discussion on this, the link’s below – we recommend you watch it.
So how’re you doing? Are you feeling like relying on the UK ICO guidance yet?
Okay, let’s continue.
So, on supplemental measures, the day after Schrems II the European Data Protection Board, the body of EEA Regulators, helpfully said that they’re looking further into what those additional measures could consist of. … Right.
Now, at present, no one really knows what measures will be accepted or appropriate. Contenders, though, that you might look at, are:
Of course, if you store your data in the EEA and it’s never transferred, so there’s no access from outside the EEA, you don’t need to worry… or do you, because if you have a cloud provider in the EEA that’s the European arm of a US entity, that may be a problem, but let’s deal with what’s in front of us now and leave that for later!
This all highlights the need to have thought about this – if possible, have supplemental measures you can point to that, you argue make the SCCs a valid route.
Article 46 also includes Binding Corporate Rules. These are great, but they’re very rarely used. Across Europe, there are only 140 approved before GDPR and only five in the two years since. They can take up to two years to put in place. They’re expensive and time consuming.
So, while they’re fantastic, they’re statistically, and practically, irrelevant for now.
So, let’s just round up where we got to:
If you don’t follow the UK ICO’s advice, and you can’t make SCCs work for your transfer, is there anything else that can be done to help you transfer to the US? Yes, but it’s very limited.
Our 5th Action Point is to see if any derogations in Article 49 work for you. The Court left Article 49 alone. In fact, it said it was the reason it saw no need for a transition period, which is a very punchy statement indeed, and here’s why.
The EDPB’s Guidance on Article 49 makes clear it’s the last resort. They state that these derogations are only for use when Articles 45 and 46 aren’t of use. The derogations are just that, and must be interpreted restrictively so that the exception does not become the rule.
Now, for most organisations, the only grounds in Article 49 you’re likely to be looking at are the first 3 and if you’re public sector, these derogations can’t apply to activities carried out by public authorities in the exercise of their public powers.
Now the EDPB states that explicit consent has to be to the particular transfer. This suggests it has to be a separate consent, all on its own. And they note that GDPR’s Recital 111 says that the contract basis not only has to be ‘necessary’, but also ‘occasional’.
So, not exactly the wealth of opportunity the Court seemed to suggest!
So there we go, the practical impact of Schrems II – for now! Do keep an eye out for updated advice from authorities – it’s changing rapidly.
But we have been able to set out a pathway of 5 Action Points to explore for transfers to the USA. Please do look at our other Privacy Kitchen videos like ‘What is a Transfer for GDPR?’
Stay well in the meantime, and see you soon in Privacy Kitchen!
Many get the Privacy rules on email marketing wrong. For a start, they’re not in GDPR as commonly thought, they were set out in the EU e-Privacy Directive, which means…