Schrems II and the Privacy Shield Decision – What Now For EU Data Transfers?
Rule Number 1 for those in the privacy profession: become very comfortable with uncertainty.
That rule applies to last week’s landmark judgement in Data Protection Commissioner vs. Facebook Ireland Limited, Maximilian Schrems (“Schrems II”) from the Court of Justice of the European Union (CJEU).
What does Schrems II mean for data privacy?
Over the past decade, there have been ongoing attempts to validate US companies maintaining an “adequate level of protection” for any EU data. The EU-US Privacy Shield was introduced to specifically address data protection for personal data that is transferred from the European Union to the United States. Over 5000 companies soon leveraged the Privacy Shield as their main legal mechanism when transferring personal data from the European Union to the United States.
The landmark judgement declares the EU-Privacy Shield invalid, throwing the privacy world into disarray. Specifically, throwing into question the legality of transferring EU citizens’ data to the United States – and how personal data should be shared across borders.
Where the Privacy Shield Fell Short
The Court found that US law does not effectively set limits on access intelligence activities and does not provide for any effective remedies that EU individuals can leverage if their data has been transferred to the US.
While the Privacy Shield did include an Ombudsperson to cure data transfer deficiencies, this was not independent enough from US legal requirements to be considered a sufficient mechanism for individual redress – and the Privacy Shield itself did not set out limitations on US intelligence powers.
The Department of Commerce has stated that they will continue to administer the Privacy Shield program, but the reality is that the program is immediately now considered an ineffective data protection mechanism for EU data transfers.
As Omer Tene, Chief Knowledge Officer of the International Association of Privacy Professionals quipped – the situation is essentially like trying to put a round peg in a square hole since “the standing requirements in the U.S. Constitution cannot be reconciled with legal challenges by individuals who are never told they are subject to government surveillance. And the Appointments Clause of the U.S. Constitution is not amenable to an entirely independent ombudsperson who would satisfy CJEU demands.”
Saved by the SCCs?
Schrems II thankfully did not invalidate the per se use of Standard Contractual Clauses (SCCs) as a data transfer mechanism.
However, the Court did foresee the use of companies having to rely on “supplementary measures” or “other clauses and additional safeguards” in cases where SCCs cannot ensure protection. The CJEU left it unclear what measures or safeguards companies should be doing now.
Upon reflecting what this could mean, Dr.Chris Kunner, professor of law and co-director of the Brussels Privacy Hub, surmised: “The price of upholding the SCCs seems to have been making data controllers more accountable for taking action when legislation in the country of import allows for access to data going beyond EU standards.”
Who is affected?
Ultimately, all businesses of any size, in any sector that process EU data. This affects the way that personal data is collected, moved and shared across countries and borders, with potential ramifications across industries from social media to retail to government agencies and everywhere in between.
Now What?
Many are waiting on official guidance from the European Data Protection Board (EDPB); others will be talking to their internal and external legal counsel as to what legal mechanisms they should be relying upon in the interim.
In the meantime, when looking at “additional safeguards” to SCCs from the data perspective, organizations can take a proactive approach to governing the transfer of personal data.
BigID helps organizations identify, manage, and monitor all personal and sensitive data activity – including cross border data transfers. With BigID, organizations can:
- Report on and monitor third party data sharing
- Detect out-of-policy cross-border data transfers
- Tag and label data for legal purposes
- Label data attributes based on residency of data subject for intra-company transfers
Understanding your data holdings – such as tying the residency to an identity and knowing where that data is stored, is a great place to start for companies trying to understand what’s next after Privacy Shield.
As US Secretary of Commerce, Wilbur Ross stated, we “hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.”