Mad Max II

Max Schrems has spoiled US plans for dealing with data from European countries for a second time. On 15^th July, the CJEU issued a judgment which invalidated the U.S. Privacy Shield. This had previously enabled data transfers between the U.S. and the EU without the need for any alternative transfer mechanisms. 

Privacy Shield was developed following a successful challenge to its predecessor, Safe Harbor. That challenge was also raised by Mr Schrems and once again his victory will have significant ramifications for UK and EU business which do business in the US.

How to send data to non-EU countries

Currently, companies in the UK require one of the following conditions to apply in order to transfer personal data to non-EU countries: 

1. The country the data is being sent to has an ‘adequacy notice’ issued by the EU (meaning that the EU deems the country’s data protection laws to be on a par with the EU). The list of approved countries is not long, and does not include the US – hence why Privacy Shield was developed.
2. The SCC (standard contractual clauses produced by the EU) are incorporated into the contract with the recipient party.
3. The company use Binding Corporate Rules (which apply to group companies which develop and get approval for their own rules). These are not common and most companies, including global players such as Amazon Web Services, will not have these.
4. The company uses some approved code of conduct or certification method or a binding instrument between national data protection bodies (but none of these are available just now).
5. The company obtains explicit consent from the data subject each time it transfers data to a third country. This is usually not feasible given the frequency with which data may be accessed from third countries. 

What is Privacy Shield?

The idea behind Privacy Shield (and previously Safe Harbor) was to provide an alternative option to EU companies wishing to send personal data to the US.  Even though the US had no adequacy notice, if you sent personal data to a company which had signed up to Privacy Shield, the adequacy notice was effectively deemed to apply.  You therefore didn’t need to meet any of the other conditions listed above.

However, thanks to Mr Schrem’s latest victory, this option is no longer on the table.  This means you need to look at options 2-4 above if you are sending personal data to the US.  However, as option 4 is not readily available just now, option 3 is unlikely to apply in most cases and option 5 hugely impractical, then in practice, the choice in many cases will be limited to one: using the SSC.

Complications

Although the CJEU explicitly upheld the validity of the SCC, there is one complicating factor. The CJEU specifically reviewed section 702 of the US Foreign Intelligence Surveillance Act (FISA), which allows the National Security Agency to obtain foreign intelligence of non-Americans outside the US through data stored with electronic communications services providers (e.g. Facebook or other cloud networks). Most electronic data is sent to the US with underwater cables, which the NSA is able to farm for its own purposes.

The CJEU held that this particular U.S. law is per se incompatible with European law because the US laws are not limited to what is strictly necessary and proportional as required by EU law. Therefore, there is no equivalent protection to European data subjects guaranteed by the EU charter, and so the EU-US Privacy Shield was held to be immediately invalid.

Furthermore, if the importer is subject to legal obligations within its own country (in this case, the US) which does not meet the same level of protection for data subjects as in the EU, then they would not be able to fulfil their obligations under the SCCs.

The offshoot is that some have interpreted this to mean that if companies are transferring data to the US, and they are using cloud storage providers who do not use binding corporate rules (such as Amazon Web Services), the data might be subject to collection by the NSA and therefore, the transfer of data would not be legal, even under the SCCs.

The new reality

But don’t panic. There are steps companies can take even under the most conservative of approaches to the new ruling.

• First, make sure you review the SCC and ensure you can abide by the obligations within them.
• Then make a determination as to whether you need additional protections on top of the SCC to ensure the data is protected to the level of EU law and transfers under the SCC remain valid (such as encrypting your data). This might be the case if the data importer is subject to frequent surveillance or federal investigation.
• Conduct an audit of any privacy shield companies that you work with and execute the SCC executed.
• Remember that existing commitments under the Privacy Shield are still enforceable by the U.S. Federal Trade Commission – so keep doing what you’ve been doing.
• Wait and see before you change any fundamental business practices. There is a new version of the SCC to be released, and this ruling will no doubt be reflected within them. Also, the ICO and European Data Protection Board are expected to issue guidance to companies in order to protect the crucial transatlantic relationship between the US and the EU.

Brexit

As to what happens at the end of this year, when the post-Brexit transition period ends, things are still uncertain. If the UK is granted an adequacy notice, transfers from European countries can continue unfettered. Otherwise, if EU countries wish to send data back to the UK, there will need to be SCCs between each party as well. The message to UK companies who engage in data processing is to start reviewing your data flows and contracts now.

If you have questions about data protection and third country data transfers, contact the data protection team.

Author

Danielle Prado Associate IP, Data & Contracts View profile