Implications of the Privacy Shield ruling
November 2020 | FEATURE | DATA PRIVACY
Financier Worldwide Magazine
November 2020 Issue
In 2000, the European Commission (EC) introduced ‘Safe Harbor’, a principles-based, voluntary framework for companies transferring personal data of European residents to the US. But Maximilian Schrems subsequently took Facebook to court claiming that once his data reached US soil, privacy protection faded. As a result, Safe Harbor was declared invalid by the Court of Justice of the European Union (CJEU).
In place of Safe Harbor, the EC introduced the EU-US Privacy Shield, a framework designed to provide additional protection to EU citizens’ data through the introduction of new safeguards, such as the Data Protection Ombudsman, and a pledge that US surveillance would be limited.
However, on 16 July 2020, history repeated itself as the CJEU held that US law is inadequate to protect EU citizens’ personal data to the extent required by EU law.
According to the ruling in the case known as ‘Schrems II’, the US government cannot be trusted to maintain the confidentiality, integrity and availability of EU citizen’s personal data. The justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fail to meet “minimum safeguards” guaranteed by the EU.
Certainly, the ruling has implications for many companies and authorities in the US and Europe.
Wilbur Ross, US secretary of commerce, said his department was “deeply disappointed” by the decision, and he hoped to “limit the negative consequences” to transatlantic trade worth $7.1 trillion.
As it stands, there is currently no clear guidance for companies on what comes next. Using the aftermath of Safe Harbor as a guide, it is likely that national authorities will now need to conduct their own investigations into individual complaints. This may significantly disrupt global data flows or, at a minimum, add layers of complexity.
According to the European Data Protection Board (EDPB), transfers based on the EU-US Privacy Shield framework are now illegal. For companies that relied on the EU-US Privacy Shield framework, there is no grace period during which they can continue transferring data to the US without assessing the legal basis for those transfers.
Amid the confusion, EU organisations have been advised that they may be able to rely on standard contractual clauses (SCCs) in their agreements with data processors. The CJEU believes that SCCs are a reasonable method to safeguard transatlantic transfers as they identify responsibilities surrounding those transfers and allow EU regulators to intervene in individual instances where the protection of European data is suspected to be inadequate. A number of large technology companies, including Facebook and Microsoft, are already using SCCs for transatlantic data transfers.
The European Data Protection Supervisor (EDPS) said it will continue to strive for a coherent approach among supervisory authorities regarding international transfers. It is analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies.
In the UK, the Information Commissioner’s Office (ICO) said in a statement: “The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy. We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
The security of data has perhaps never been more important to regulators, companies or the general public, so additional consideration will certainly be given to the future of transatlantic data transfers.
In August, Wilbur Ross and the European commissioner for justice, Didier Reynders, issued a joint statement on the future of the Privacy Shield: “The US Department of Commerce and the EC have initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.”
In the meantime, companies will need to consider a number of options in the wake of the Schrems II ruling. One is data localisation, whereby companies store all personal data originating in the EU within the region, to avoid unlawfully transferring it to the US. But data localisation can be expensive and could give rise to certain technical problems, as well as make it more difficult for multinational companies to deliver their services.
Since data flows are critically important to multinational companies, plans are needed to facilitate the safe, legal transfer of data across the Atlantic as soon as possible.
© Financier Worldwide
BY
Richard Summerfield