Privacy Shield: Companies face new hurdles to legally transfer data to the US

Question marks remain over SCCs

US surveillance laws give few rights of redress to EU citizens if their data is misused. That meant there were question marks over whether SCCs were a lawful alternative to Privacy Shield, said Dixon.

The ECJ  has raised questions over the US Executive Order 12333, which has been used by the US National Security Agency as a legal basis for collecting data passing through the datacentres of big tech companies, including Google.

It has raised further concerns about the US National Security Agency’s ability to extract emails and other private data by tapping underwater internet cables.

Questions remain whether data transfers from Europe to the US “under any mechanism” would comply with European human rights law, Dixon told lawyers and privacy experts in a seminar organised by the International Association of Privacy Professionals.

“The EU charter of fundamental rights is very serious business,” she said. “The recognition of the right to privacy in article 7 – and the right to protection in article 8 – raise very high standards and are hard to implement.”

Andy Serwin, a partner at DLA Piper, advised the Irish data protection commissioner during legal proceedings that were initiated by Austrian lawyer Max Schrems seven years ago, when he complained that Facebook Ireland was breaching EU law by sharing his data with Facebook in the US.

Serwin said companies should assess the likelihood that any data they send to the US would be subject to interception, depending on which industry sector their companies were in, and use that to support their use of SCCs to transfer data to the US.

FISA: Are you likely to be a target?

The relevant US law is Section 702 of the US Foreign Intelligence Surveillance Amendments Act (FISA), which gives US government agencies the right to search and collect communications and data on non-US citizens without a warrant.

Companies transferring data to US firms would be on firmer ground under EU law if they could show that, in reality, their US business partners rarely received orders under FISA to hand over private data.

US companies cannot refuse to respond to orders to hand over data to US law enforcement and intelligence agencies under FISA.

But they can publish how many requests they receive, allowing European companies to benchmark the risks of transferring personal data overseas.

Serwin said: “If you’re a pharmaceutical company transferring clinical trial data, I’ll never say never, but the odds of you getting a FISA request for that data are probably pretty low.”

Businesses should also consider whether US state laws could provide EU citizens with rights of redress that are not provided for in federal law, as part of their assessment of the validity of SCCs.

“The core of this case was US surveillance law,” said Serwin. “If that’s what invalidated Privacy Shield and raised the questions about SCCs, companies probably do have to look at in-country law.”

EU and US laws are difficult to reconcile. European privacy laws are based on human rights, while the US regards privacy as a property right.

“The real question we’re all struggling with today is how do you square a fundamental human rights view with a property rights view?” said Serwin. “FISA standards are different for US and non-US persons.”

One solution for the US government could be to define the safeguards in FISA and other surveillance programmes more broadly by including protections for European residents.

But whether the US government would be willing to do so is far from certain.

Whisper it: use SCCs anyway

In the meantime, lawyers are advising companies to use SCCs to transfer data to the US and other countries that may not comply with EU privacy and data protection laws, in the absence of other clear alternatives.

Serwin added: “If I were advising anyone for now, it’s stay the course for now with SCCs, try to gather what you can around what legal protections exist in the US in your industry, in the states where you’re doing business, such as California.”

Businesses cannot ignore the “spectre of underseas cables and general background of surveillance in the US”, he said, but they can take steps to bolster their legal case for transferring data.

“Try to deduce how often you’ve gotten these [FISA] requests, how often your processors or data importers have had these requests,” he said.

Dixon said she was not yet able to recommend that companies switch from Privacy Shield to SCCs, but agreed that in practice they had little choice.

“Go towards SCCs because they remain technically valid and available, and try and adduce those supplemental safeguards with guidance from the European Data Protection Board in due course,” she said.

That could mean, for example, that some sectors of industry would be able to assert that their data would never be subject to access by the National Security Agency, said Dixon.

“I wouldn’t be guiding in that direction [towards SCCs], but we acknowledge that it is the only logical place that companies can go now,” she added.

Berlin: time for digital autonomy

In Germany, Berlin’s data protection commissioner went further than other European data protection supervisors by calling for companies to move their data from the US to European service providers.

Maja Smoltzyk said it was now time for digital autonomy for Europe. “The ECJ has stated in clear terms that data exports cannot only be about the economy, but that fundamental rights must be paramount,” she said. “The times when personal data could be transferred to the US for convenience or cost savings are over.”

Dieter Krugleman, regional data protection commissioner for Germany’s ninth largest state, Rhineland-Palatinate, said data transfers to the US under Privacy Shield were illegal with immediate effect. He warned that organisations cannot exempt themselves from meeting data protection obligations by using SCCs.

“The ball is now in the field of those responsible,” he said. “They cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data.”

Schrems presses Ireland to make decision on Facebook

The court’s decision to strike out Privacy Shield follows a seven-year legal battle by Austrian lawyer Max Schrems, who is suing Facebook Ireland, which he accused of breaching EU law by sharing his personal data with Facebook in the US.

Schrems wrote to Irish data protection commissioner Dixon this week asking what steps she will take to issue a decision on Facebook’s use of SCCs, seven years after his original complaint.

“I would be grateful if you confirm within seven days the next steps that you propose to take in order to issue a decision,” he said.