When Europe’s top court scrapped the European Commission’s second attempt at establishing a cast-iron mechanism to ensure secure data transfers across the Atlantic, businesses knew there would be a price to pay.
Following a list of “frequently asked questions” issued on July 24 by the European Data Protection Board (EDPB), the EU body in charge of regulating Europe’s compliance with data privacy and the General Data Protection Regulation (GDPR), however, it became apparent the legal and financial burden for companies might actually be worse than first thought.
On July 16 the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, which allowed (on paper, at least) some 5,300-plus validated companies safe access to EU citizens’ data without fear of legal reprisals under EU privacy law.
Like its predecessor—known as Safe Harbor, which was scrapped in 2015—the Privacy Shield was axed over concerns raised by Austrian privacy campaigner Max Schrems that U.S. surveillance laws allowed the government access to EU citizens data, thereby violating EU regulations.
Yet—while the Privacy Shield was immediately dropped as a legal option—two other principal mechanisms remain open. While valid, however, neither are legally bulletproof any longer.
Standard contractual clauses (SCCs)—“off the shelf” template contracts prepared by the European Commission that have been relied on by businesses to facilitate transfers for nearly 20 years—were ruled to still be valid, but with caveats: The level of data protection in the third country has to be equivalent to that in the European Union and, if not, companies and EU data protection authorities will have to proactively suspend or prohibit transfers of personal data.
The other mechanism available to EU companies—and not mentioned in the CJEU judgment—are binding corporate rules (BCRs), which follow EDPB guidelines, have stringent accreditation requirements, and can take a long time to implement. As a result, they are not a popular option (only 135 companies have signed up to them).
“The onus on companies having to check the circumstances surrounding a data transfer to third countries to ensure an equivalent protection to that afforded in the EU may become quite expensive and burdensome.”
Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection, Linklaters
Because the United States is not believed to be a safe country in terms of data privacy, and because of the country’s Foreign Intelligence Surveillance Act, however, BCRs may also give limited protection if companies continue to transfer data between the European Union and United States.
Lawyers had hoped the accreditation process around BCRs would be simplified and companies would be given a “grace period” to continue using SCCs as before the ruling without the threat of regulatory sanctions while the European Commission agrees to a third mechanism to ensure the safe transfer of data between the European Union and United States.
The EDPB, however, has ruled out both possibilities. Instead, say lawyers, the onus is firmly on companies—and poorly resourced data protection regulators—to ensure strict adherence to the GDPR when personal data is transferred to a third country. And if there is any doubt about the strength of a third country’s snooping laws (and not just the United States, but countries such as China, Russia, and India), data transfers to entities within it are out. Failure to prevent could result in a hefty fine of up to 4 percent of a company’s global revenues under the GDPR.
The EDPB says “supplementary legal, technical or organisational measures” may need to be used by companies to ensure compliance and provide safeguards, but it does not elaborate as to what these measures might be. Privacy experts say data encryption might be one possibility, but that this is neither a simple, nor cheap, remedy. The EDPB has said it will issue further guidance but has not specified when.
The GDPR actually envisages the development of codes of conduct and certification mechanisms that allow the lawful transfer of personal data from the EU/U.K. to countries such as the United States. According to Pulina Whitaker, a partner at law firm Morgan Lewis, however, none have yet been approved. As such, she says, “these options should now be prioritized for approval to fill the gap in allowing data transfers,” adding: “We would expect these to be approved within the next year.”
Tanguy Van Overstraeten, a partner and global head of privacy and data protection at law firm Linklaters, says “the onus on companies having to check the circumstances surrounding a data transfer to third countries to ensure an equivalent protection to that afforded in the EU may become quite expensive and burdensome.”
Van Overstraeten adds that while the CJEU ruling has immediate effect, he hopes there will be no active enforcement action from data protection authorities. “The EDPB has been fast in publishing its preliminary assessment in the form of FAQ. It has announced further guidance will be forthcoming, which I hope will be pragmatic and solution-driven. It is important not to enforce against companies that are looking for appropriate solutions while also awaiting guidance from supervisory authorities.”
Alex van der Wolk, partner and co-chair of law firm Morrison & Foerster’s global privacy and data security practice, thinks making companies and data protection authorities responsible for evaluating a destination country’s laws “is a huge burden to bear, and one can wonder whether it is at all appropriate to put this burden on the market and (generally) under-funded DPAs.”
“It took the Irish DPA millions of Euros to litigate the Schrems case, and it took the CJEU years to reach a conclusion on the adequacy of the Privacy Shield framework. It is unimaginable that companies or DPAs are able to do this for each and every transfer,” he adds.
Van der Wolk says “it’s unlikely there will be a political solution soon,” despite the pressing need. He believes the major question currently is whether SCCs can still be used for transfers to the United States and, if so, under what circumstances. While the CJEU gave guiding principles on how the SCCs are to be used, the practical implementation will have to come from lawmakers, data protection authorities, and the market itself, he says.
“The EDPB’s FAQs in that respect are not yet helpful as they say they are still evaluating what ‘additional measures’ may look like,” says van der Wolk. “It is very much hoped that the EDPB will come with further specifics on this.”
In the meantime, lawyers believe companies will perform risk assessments about where they are sending data to, what kind of protections they have in place, and what kind of data is being transferred.
Andy Serwin, U.S. chair and global co-chair of DLA Piper’s data protection, privacy, and security practice, says “for data importers, we expect that EU companies will drill in more to these issues and U.S. companies will have to have additional information ready for the inevitable questions. For EU companies (or U.S. companies that have EU operations) that are data exporters, they will have to conduct an analysis under GDPR to determine whether there is adequacy around the particular transfer in question.”
Experts are hopeful a practical, interim solution can be worked out quickly, but many admit the lack of a “grace period” is a cause for concern. Some expect increased regulatory scrutiny going forward, but several also expect an increase in consumer complaints about the safety of their personal data being transferred to countries with stringent cyber-security laws.
The lack of coordination among national data protection authorities about what enforcement approach they should take is another issue that needs to be resolved quickly. Privacy experts want guidance at EU level, indicating the circumstances per country under which SCCs can be used to transfer data. But already EU data regulators have signaled different approaches and tolerances to non-compliance.
For example, German data regulators have taken a hard line on adherence to the CJEU’s ruling and the inherent dangers of EU citizens’ data being sent to the United States, while the Irish Data Protection Commissioner has said data transfers to the United States are not invalid, just “questionable.”
U.K. companies, on the other hand, have been advised by the U.K. Information Commissioner’s Office to “conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework” and “take stock of the international transfers … and react promptly as guidance and advice becomes available.” The ICO added it would take a “pragmatic” approach.
One privacy expert, who declined to be named, said: “The GDPR was supposed to bring a more consistent approach to enforcing data protection across the EU—not make it more fragmented. Guidance that is endorsed by all 27 EU data protection authorities (as well as the United Kingdom) is essential to ensure harmonization of rules and approach.”