US/EU commerce without the use of the Privacy Shield

In the modern world of commerce, data has become both an enabler of commercial activity as well as a commodity. It is no wonder then that the regulation of both the collection and use of personal data is so often in the spotlight. It is for this reason that a recent ruling by the Court of Justice of the European Union (“ECJ”) has caused such a stir.

The ‘Schrems II case’ (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/18) determines that the EU-U.S. Privacy Shield Framework (“Privacy Shield”) does not adequately protect the personal data of the data subjects in question. So why is this so significant? The Privacy Shield was essentially a US government mechanism implemented by US-based organisations to protect the personal data of data subjects transferred from the European Economic Area (“EEA”), which includes all EU member states and Iceland, Liechtenstein and Norway. By holding that the US Privacy Shield does not in fact adequately protect the personal data of people based in the EEA, the decision has significant consequences for any trade between the EEA and the USA that relies on the transfer and use of such data. In this article, we look at the decision and its implications for deals between EEA and US-based organisations.

Protecting personal data

Depending on the jurisdiction, personal data of individuals is protected by the State through the implementation of rules to ensure that organisations (and other individuals) respect the privacy of people. Because these rules are in place, personal data can be freely transferred within the boundaries of the State without further restriction. If these rules are broken, consequences will follow, including the imposition of hefty fines on the wrongdoer. There are also usually restrictions placed on the State for how it can go about conducting surveillance of individuals and how it processes the personal data of people based in its jurisdiction.

The European Union (“EU”), together with States in the EEA, have implemented the General Data Protection Regulation (“GDPR”) to achieve the aims of protecting personal data. As such, personal data can be freely transferred across boundaries of States within the EEA because all affected individuals are guaranteed the same protections regardless of where the processing of their personal data takes place within the EEA.

This is obviously not the case in States outside the EEA. Every State will treat the protection of personal data differently - some States’ rules are more aligned with the GDPR, whereas others are significantly less so.

The crux of the argument and the decision of the Schrems II case was whether the Privacy Shield adequately protects the rights of people based in the EEA? The ECJ’s finding was a resounding “No”.

The Privacy Shield

The GDPR provides that the transfer of personal data to a country outside of the EEA may take place if the third country ensures an adequate level of data protection. The European Commission is empowered to make this decision and did so with respect to the Privacy Shield in July 2016.

The Privacy Shield is administered by the US Department of Commerce and enables US-based organisations to join the Privacy Shield by self-certifying their compliance with the US government and publicly committing to comply with its requirements. The commitment and self-certification are voluntary. Once the commitment is made, the organisation is bound to comply with the requirements which are enforceable under US law.

On this basis, many US-based organisations entered deals with EEA-based organisations (and individuals) specifying that the personal data of EEA data subjects may be transferred to the USA without restriction on the understanding that the European Commission decided that the Privacy Shield provided an adequate level of data protection. Maximillian Schrems (an Austrian national residing in Austria) disagreed with the European Commission and took steps against the US-based organisation – Facebook – to have the Privacy Shield declared an inadequate mechanism to protect the personal data of EEA individuals. Interestingly, Mr Schrems is the same individual who was successful in his litigation which culminated in the ECJ’s finding that the Safe Harbour framework (the predecessor to the Privacy Shield) did not provide an adequate level of data protection.

Why did the ECJ find that the Privacy Shield was inadequate?

If personal data is going to be transferred to a third country outside the EEA, then that third country must afford protection at a level essentially equivalent to that guaranteed by the GDPR. The ECJ noted that requirements of US national security, public interest and law enforcement have primacy over the Privacy Shield requirements, which condone the interference with the rights of data subjects. Due to the primacy of these requirements, the ECJ found that the Privacy Shield does not circumscribe such interference with the rights of data subject and as such the Privacy Shield does not satisfy the proportionality principle under EU law, in so far as the surveillance programmes of the US government are not limited to what is strictly necessary. Furthermore, the provisions of the Privacy Shield do not grant data subjects actionable rights before the courts against US authorities (including the Ombudsperson mechanism contained in the Privacy Shield).

What does this mean for the transfer of personal data from the EEA to the US?

The decision of the ECJ is profound. Around 5,400 US-based organisations use the Privacy Shield as the means to transfer personal data from the EEA to the US. This means that many organisations based in the EEA (including many of those based in Ireland and the UK) have struck deals with US-based organisations in terms of which the personal data of EEA data subjects are transferred to the USA based on the Privacy Shield. Without the Privacy Shield in place, these organisations will need to agree to an alternative international transfer mechanism.

In the same ECJ decision, the court found that the most commonly used means to regulate the transfer of personal data from the EEA to the USA – the standard data protection clauses (or standard contractual clauses) – are an adequate measure to ensure that the personal data of individuals based in the EEA are protected. This mechanism takes the form of an agreement (based on the European Commission decision, setting out pro-forma terms and conditions) entered into between the EEA-based entity (the data exporter) and the US-based entity (the data importer) which guarantees the rights of individuals based in the EEA.

Personal data may be transferred outside the EEA to the USA and other third countries using other mechanisms, such as ‘binding corporate rules’. Other countries, such as New Zealand, have been deemed to be an ‘adequate territory’ by the European Commission and as such, personal data from the EEA can be transferred, unencumbered, from the EEA to New Zealand. The European Commission is not known for making quick decisions on third countries that constitute ‘adequate territories’ so the list (currently limited to 12 countries) is not likely to grow very quickly.

As a result of the Privacy Shield decision, and except for countries that are deemed by the European Commission to provide an adequate level of protection (a category within which the USA is unlikely to be a part of any time soon), we foresee the standard contractual clauses as being the preferred mechanism to regulate the international transfer of personal data outside the EEA and the default tool used to transfer personal data from the EEA to the USA (and most likely every other country except for the list of 12). This is profound because there will likely be tens of thousands of transactions that are subject to international data transfer terms which are now non-compliant with the GDPR. This will require a significant amount of remediation work to ensure that adequate international transfer terms between organisations based in the USA and the EEA are entered into, with the most used mechanism likely to be the standard contractual clauses.

by Lighthouse Law

The information and views contained in this article does not constitute legal advice. If you do require legal advice, please contact us on hello@lighthouse.law.