Skip to main content

Fall of EU-US Privacy Shield: What happened? What now?

(Image credit: Image Credit: Wk1003mike / Shutterstock)

Europe is been the home for the world’s growth of privacy and privacy-minded individuals. This is not to say they are not elsewhere but, they're definitely in Europe. The United States is not a home of privacy. There are many disparate laws, and they lag Europe significantly. This is been a problem for business for many years. It just got more complicated. On 16 July 2020, privacy law between the United States and the European Union changed. Privacy protections that were enshrined in the EU–US Privacy Shield were declared invalid.  Not because of concerns that they were not adequate in and of themselves. No, they were declared invalid because of a lack of trust and European residents' lack of standing in some courts.

What does invalidated mean in this case?  The high court of Europe, the Court of Justice of the European Union (CJEU) declared the set of legal instruments called the EU–US Privacy Shield, invalid.  The case was Case Number C 311/18, often called the Schrems II judgment or ruling (Schrems I invalidated US Safe Harbor, a similar agreement between the US and USA). In other words, they no longer satisfy the privacy regulation called the General Data Protection Regulation (GDPR), also known as (EU) 2016/679.  This is the bedrock of privacy in Europe and a gleaming beacon for privacy activists around the globe.

What does this mean?

The Schrems II case just received its verdict, so what happens now is a little in quandary. The verdict shut down and invalidated the traditional protection framework that was used for the transfer of personal data between the United States and the European Union.  It did not however shut down the traditional Standard Contractual Clauses (SCCs), the preferred protection system for privacy in data transfers.  What should happen is companies need to make a few decisions, and decide their plan of action:

  1. Stop EU-US data transfers
  2. Stop doing business in the EU
  3. Convert to SCCs and maintain Privacy Shield
  4. Convert to Standard Contractual Clauses (SCCs)

So those are the basic choices businesses have today.  Interestingly, they are not all as simple as it sounds.

The first, stop EU-US data transfers. So, this means not processing or transferring or storing personal data from EU residents in the United States. Please note that this does not say EU customers, but instead EU residents. This gets very complicated if you are working with any EU residents as employees, contractors, or have business agreements. How do you separate the business? Sometimes you break your business in the components and limit what data is transferred between borders. This however can be complicated, as the definition of personal data is very light and organic: it will evolve to include more.

Looking at option two, stop doing business in the EU, can have a massive impact on a business. Sometimes a business doesn’t understand what data is coming from what country. The company may not be focused on business from the EU, however saying your company won’t except sales from the EU, or refuse to do business in the EU, that just sounds weird to most people. This is something that a company would have to consider long and hard, and would probably be better off as a temporary measure if it had to be done to stay compliant. The question is, for Privacy Shield company that has self-certified, do they need to jump instantly and ban the transfer of data now, and then quickly make changes to go to SCCs? While this would not be wrong on the legal side, most businesses need to focus on doing business. It’s a dirty little secret in compliance and risk management, that sometimes you will not comply because it will stop your business from being able to do business. This article is not legal advice, that’s best to get from privacy attorneys, but your internal privacy team will need to decide if they wanted to take such a drastic measure.

The third option is rather different, convert to SCCs, and maintain Privacy Shield. What makes this interesting is that Privacy Shield to the EU was nullified. No documentation has been released about the Swiss-US Privacy Shield. So at the moment, this may not be a bad move for many companies, and removing yourself from Privacy Shield may not be as simple as people may think. The Privacy Shield program still expects people who have certified under it, to be under its review. It is notified people of this on the Privacy Shield website with this statement, “…This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework…” .

So how about we choose number four, convert to Standard Contractual Clauses (SCCs). This is really where most businesses should have started. The problem was that Privacy Shield was something a lot of people believe they could believe in and that it would give them extra assurance. This turned out not to be the case and something that’s been in question for quite some time among privacy professionals. However, converting over to utilizing SCCs can be a bit complex to get implemented rapidly. You have to have the correct information on what is being transferred and identified, and included in the contractual clause, and use the exact verbiage that is approved. This sounds great, you have approved verbiage. Yes and no. The verbiage is very limited, and a bit antiquated. It can however be made to work. For most businesses, this will be the recommended path.

Why did this happen?

In essence, there was a belief that the agreement and collection of mechanisms managing it, were not real.

The three reasons why were simple: Foreign Intelligence Surveillance Act (“FISA”), Executive Order 12333, and Presidential Policy Directive 28 made the validity of the privacy agreements questionable.

What did these do?  Well FISA created and manages a secrete court system for dealing with terrorists, and agents of foreign powers (and oddly, a whole slew of other people focusing on foreign to the USA).   FISA is constantly being updated but came to be during the presidency of Jimmy Carter.

Now Ronald Regan signed Executive Order 12333 which was meant to get federal agencies to support the CIA for the request for information. Note that this Executive Order has been updated several times, under many presidents. Now director 28 was signed by Pres. Obama. This was all about signals intelligence and the collection of digital information. This was very open in the way it was done, although there are privacy protection clauses in the directive.

What is the difference between Standard Contractual Clauses and Privacy Shield?

Privacy Shield was a standard of agreement that a company with self-certified to. They were mechanisms that were based on what should be done, and processes in which a complaint could be filed, or a judgment made. It included many different mechanisms to protect the privacy of people. Standard contractual clauses are clauses that are put into a contract between a processor and a controller or a controller and another controller, that focus on how private data or personal data is managed. One is run by the US government, and the other is something that each company is required to manage on their own.

What if I am already using Standard Contractual Clauses?

The good news however is that what privacy professionals have been urging companies to use are still valid: Standard Contractual Clauses.  These are approved clauses that focus on data privacy and should be slipped into agreements when possible when using cross EU-US (or any EU-Anywhere) transfers of personal data.   However, always look at the clauses used and do a bit of a sanity check, double-checking if their privacy professionals see any loopholes that could impact in the future. 

Companies should always take an extra look at the clauses that you are using, and make sure that you are keeping up to any changes that do come about on the EU’s website, listing those clauses. Also make sure that the clauses remain accurate.  If the data being collected is being used differently or its different data, then the clauses need to be updated prior to the changes happening.  Consider whether or not you are a controller or a processor, and review the on the EU’s website .

What about Covid-19?

So, the scary question: will this impact Covid-19 research?  It should not, but it could.  It depends on how the companies doing research have their contracts for the data transfer setup.

After the fall of Safe Harbor, as a privacy professional, the recommendation to use only EU–US Privacy Shield would have been something to shy away from.  However, to some, it may have been an easy button.  Those companies will now have to make rapid adjustments if their research is critical to the developing fight against Covid.

One of the things it makes Covid-19 and the impacts of data privacy interesting, has been the unbelievable data-sharing that has been going on to combat the disease. Stopping this was not the purpose of this decision by the EU courts, there’s more data-sharing going on at the moment for this disease, then there probably should be legal. In the past, people would say that it’s bad optics to impact groups doing good with privacy regulations. Optics are not a legal defense. If your company is working on combating Covid-19, please consider implementing Standard Contractual Clauses immediately.

Conclusion

In the and companies need to keep up with the changes to privacy regulations wherever they do business.  For many that will mean it is time to implement standard contractual clauses for privacy and continue doing business. This is not the time to panic, this is not the time to wonder about what comes next. This is the time to review your contracts and update them and keep business running. Interestingly many of your contracts probably already have some of these bits of verbiage in them.

Privacy laws have changed and how data is transferred between the European Union and the United States is different than it was. Is this reason to panic? No this is no reason to panic. Was this something many people for seen? Yes, it was. This was something that was expected although oddly, the greatest concern was that there was be an impact on standard contractual clauses, and that did not occur.

One of the problems that the EU has is that, while the US government has some issues with privacy, many other governments are significantly less privacy-centric. Some countries have no true right to privacy. What sets the United States apart from many of the other countries that could have run into this problem is twofold. The first issue is that some of the largest data-based companies are based out of the US. The second is that the US tries to have a tighter relationship with Europe, and therefore this kind of expectation of increased protection of European residents is expected.

Robert Meyers, compliance and privacy professional, One Identity