nmann77 - stock.adobe.com
European businesses will have to conduct time-consuming assessments of US law to ensure their data transfers to the US are lawful, following the European Court of Justice’s decision to strike down the EU-US data-sharing agreement, Privacy Shield, it was claimed this week.
Thousands of companies gearing up to replace Privacy Shield with legal agreements known as standard contractual clauses (SCCs) have been told they can no longer rely on “tick-box” exercises to show they are compliant with EU data protection and human rights laws.
The European Court of Justice (ECJ) has made it clear that companies will have to take responsibility for ensuring they comply with EU law if they want to continue sharing data with the US following its decision to invalidate Privacy Shield.
The case brought by the Irish data protection commissioner, Helen Dixon, against Facebook and Austrian lawyer Max Schrems has created huge uncertainty for businesses and data protection regulators, who are grappling to understand its full implications.
Dixon said the European Court’s judgment had for the first time “put a spotlight” on the need for businesses to carry out legal assessments before they start sharing data with countries outside the EU.
“The judgment is clear that that is what is going to be required,” she told an online conference following the court’s verdict. “That burden for smaller companies is enormous. As director of a data protection authority conducting that analysis, it’s an extremely labour-intensive, expensive process. The challenges are enormous.”
Dixon’s comments came as European data protection regulators warned companies that they would need to carry out formal assessments, including considering the US’s legal regime if they wanted to send data to the US (see box below).
Question marks remain over SCCs
US surveillance laws give few rights of redress to EU citizens if their data is misused. That meant there were question marks over whether SCCs were a lawful alternative to Privacy Shield, said Dixon.
The ECJ has raised questions over the US Executive Order 12333, which has been used by the US National Security Agency as a legal basis for collecting data passing through the datacentres of big tech companies, including Google.
It has raised further concerns about the US National Security Agency’s ability to extract emails and other private data by tapping underwater internet cables.
Questions remain whether data transfers from Europe to the US “under any mechanism” would comply with European human rights law, Dixon told lawyers and privacy experts in a seminar organised by the International Association of Privacy Professionals.
“The EU charter of fundamental rights is very serious business,” she said. “The recognition of the right to privacy in article 7 – and the right to protection in article 8 – raise very high standards and are hard to implement.”
Andy Serwin, a partner at DLA Piper, advised the Irish data protection commissioner during legal proceedings that were initiated by Austrian lawyer Max Schrems seven years ago, when he complained that Facebook Ireland was breaching EU law by sharing his data with Facebook in the US.
Serwin said companies should assess the likelihood that any data they send to the US would be subject to interception, depending on which industry sector their companies were in, and use that to support their use of SCCs to transfer data to the US.
FISA: Are you likely to be a target?
The relevant US law is Section 702 of the US Foreign Intelligence Surveillance Amendments Act (FISA), which gives US government agencies the right to search and collect communications and data on non-US citizens without a warrant.
Companies transferring data to US firms would be on firmer ground under EU law if they could show that, in reality, their US business partners rarely received orders under FISA to hand over private data.
US companies cannot refuse to respond to orders to hand over data to US law enforcement and intelligence agencies under FISA.
But they can publish how many requests they receive, allowing European companies to benchmark the risks of transferring personal data overseas.
Serwin said: “If you’re a pharmaceutical company transferring clinical trial data, I’ll never say never, but the odds of you getting a FISA request for that data are probably pretty low.”
Businesses should also consider whether US state laws could provide EU citizens with rights of redress that are not provided for in federal law, as part of their assessment of the validity of SCCs.
“The core of this case was US surveillance law,” said Serwin. “If that’s what invalidated Privacy Shield and raised the questions about SCCs, companies probably do have to look at in-country law.”
EU and US laws are difficult to reconcile. European privacy laws are based on human rights, while the US regards privacy as a property right.
“The real question we’re all struggling with today is how do you square a fundamental human rights view with a property rights view?” said Serwin. “FISA standards are different for US and non-US persons.”
One solution for the US government could be to define the safeguards in FISA and other surveillance programmes more broadly by including protections for European residents.
But whether the US government would be willing to do so is far from certain.
Whisper it: use SCCs anyway
In the meantime, lawyers are advising companies to use SCCs to transfer data to the US and other countries that may not comply with EU privacy and data protection laws, in the absence of other clear alternatives.
Serwin added: “If I were advising anyone for now, it’s stay the course for now with SCCs, try to gather what you can around what legal protections exist in the US in your industry, in the states where you’re doing business, such as California.”
Businesses cannot ignore the “spectre of underseas cables and general background of surveillance in the US”, he said, but they can take steps to bolster their legal case for transferring data.
“Try to deduce how often you’ve gotten these [FISA] requests, how often your processors or data importers have had these requests,” he said.
Dixon said she was not yet able to recommend that companies switch from Privacy Shield to SCCs, but agreed that in practice they had little choice.
“Go towards SCCs because they remain technically valid and available, and try and adduce those supplemental safeguards with guidance from the European Data Protection Board in due course,” she said.
That could mean, for example, that some sectors of industry would be able to assert that their data would never be subject to access by the National Security Agency, said Dixon.
“I wouldn’t be guiding in that direction [towards SCCs], but we acknowledge that it is the only logical place that companies can go now,” she added.
Berlin: time for digital autonomy
In Germany, Berlin’s data protection commissioner went further than other European data protection supervisors by calling for companies to move their data from the US to European service providers.
Maja Smoltzyk said it was now time for digital autonomy for Europe. “The ECJ has stated in clear terms that data exports cannot only be about the economy, but that fundamental rights must be paramount,” she said. “The times when personal data could be transferred to the US for convenience or cost savings are over.”
Dieter Krugleman, regional data protection commissioner for Germany’s ninth largest state, Rhineland-Palatinate, said data transfers to the US under Privacy Shield were illegal with immediate effect. He warned that organisations cannot exempt themselves from meeting data protection obligations by using SCCs.
“The ball is now in the field of those responsible,” he said. “They cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data.”
Schrems presses Ireland to make decision on Facebook
The court’s decision to strike out Privacy Shield follows a seven-year legal battle by Austrian lawyer Max Schrems, who is suing Facebook Ireland, which he accused of breaching EU law by sharing his personal data with Facebook in the US.
Schrems wrote to Irish data protection commissioner Dixon this week asking what steps she will take to issue a decision on Facebook’s use of SCCs, seven years after his original complaint.
“I would be grateful if you confirm within seven days the next steps that you propose to take in order to issue a decision,” he said.
Data protection regulators call for new framework to replace Privacy Shield
Europe’s data protection regulators said this week that that EU and the US should develop a new framework that will guarantee that personal data in the US receives “essentially equivalent” protection to personal data in the EU.
The European Data Protection Board (EDPB), an independent group of 30 data protection regulators from Europe and the European Economic Area, has criticised the lack of safeguards for EU citizens under US surveillance laws, which allow the collection and analysis of the private data of non-US citizens for national security.
Following the ECJ’s invalidation of Privacy Shield, companies are still free to use an alternative legal mechanism, known as standard contractual clauses (SCCs), to transfer data between the EU and the US.
But in a statement issued after the decision, the regulators warned that companies that use SCCs to import and export data will be responsible for ensuring that they comply both with Europe’s General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights.
The statement said that organisations exporting data to the US or other countries will need to carry out assessments of the SCCs, the circumstances of the transfer and the legal regime of the country. “The exporter may have to consider putting in place additional measures,” it said.
Data protection regulators have a duty to suspend data transfers under SSCs if the receiving country cannot, or will not, comply with its requirements.
“The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment,” the statement said.