In absence of guidance, EU data authorities take different approaches to Privacy Shield ruling

On July 16, Europe’s top court, the Court of Justice of the European Union (CJEU), ruled the Privacy Shield, used by thousands of companies to transfer data between the European Union and United States, was immediately invalid and could no longer be used due to the strength of U.S. surveillance laws.

It also said that while other long-existing mechanisms—namely standard contractual clauses (SCCs) and binding corporate rules (BCRs)—remained technically valid, they should not be relied upon without companies themselves checking to see if the country the data was being sent to had similarly stringent data privacy rules as the European Union in place.

The decision caused shockwaves: Not only are all data transfers from the European Union to the United States technically suspect and a potential breach of the General Data Protection Regulation (GDPR), but six weeks on from the CJEU decision there is still no finalized guidance from the European Data Protection Board (EDPB) as to what companies should do (other than through a FAQ format), no replacement data transfer mechanism in sight, and no joined-up thinking between Europe’s 28 national data regulators who are now meant to step in and suspend or prohibit transfers of data to unsafe countries “where appropriate.”

The default position of most data regulators in practice, say experts, is that—despite the clear ruling from the CJEU that there is no grace period in place—the Privacy Shield will remain allowable as companies migrate to using other mechanisms, namely SCCs.

“However, this is far from an official view and is not sanctioned by the EDPB,” says one lawyer who declined to be named.

Acknowledging the CJEU ruling, the majority of EU data authorities have said they will work toward a common position with other EU regulators, as well as wait until the EDPB produces clear guidance.

Few have issued prescriptive clarifications of what companies ought to do. For example, in an updated response issued July 27, the United Kingdom’s Information Commissioner’s Office (ICO) said it “will continue to apply a risk-based and proportionate approach” while providing “practical and pragmatic” advice and support.

There are some exceptions, however. CNIL, the French data protection authority, issued guidance via a FAQ section of its Website on July 31. It explicitly says the Privacy Shield is invalid, and that while BCRs and SCCs are technically allowable, their safe use depends on whether a risk assessment conducted by the data exporter shows the third country where the data is being transferred to provides a comparable level of data protection as the European Union. If not, such transfers should be stopped. CNIL also says SCCs should be revised so that certain, more sensitive kinds of data is prevented from being transferred to the United States, which therefore requires companies to risk assess what types of information are being sent to or held in third countries.

Germany’s 19 federal and regional data regulators were among the first to signify they would follow the CJEU’s ruling strictly. The national German Federal Data Protection Commissioner has said companies and authorities must now take “special safeguards” when transferring data to the United States, adding that it would push for a “rapid implementation” of the judgment for particularly relevant cases.

Some regional authorities have taken slightly different—even tougher—approaches. The Berlin supervisory authority, for example, has called for organizations to immediately transfer personal data formerly stored in the United States back to Europe. It has also said all organizations using cloud services in the United States should immediately switch to service providers located in the European Union or in a country with an appropriate level of data protection.

The Rhineland supervisory authority, meanwhile, has said organizations need to be clear in their privacy notices that the continued use of SCCs and BCRs cannot guarantee data exchanges to the United States are protected or immune from prosecution under the GDPR.

On Aug. 24, the supervisory authority for the state of Baden-Wuerttemberg issued what is deemed to be the first substantive guidance on how to conduct the necessary analysis and risk assessment.

It calls into question whether data transfers to the United States based on SCCs can continue if they are not accompanied by additional measures such as encryption (strong enough that foreign intelligence services cannot decrypt it), anonymization, or pseudonymization. It also suggests companies should reach out to their service providers in third countries (or their affiliates) and negotiate supplementary clauses to accompany the SCCs to give themselves (and their data subjects) more protection.

In addition, the supervisory authority threatens companies with enforcement actions if they fail to take the required steps. Like the Berlin supervisory authority, the guidance recommends localizing personal data in the EU/EEA in order to avoid a transfer of data to third countries.

Such guidance sounds tough, but experts question how effectively it can be policed. The GDPR is a complaints-driven piece of legislation, and it is doubtful data regulators will have the stomach to meaningfully enforce these tough rules so quickly after the CJEU judgment, especially without guidance from the EDPB for all other regulators to uniformly follow. It may also be too impractical—as well as expensive—for companies to follow, they say.