16 July 2020 was an important day in the history of the privacy law landscape, marked by the ruling of Court Justice of the EU (CJEU) in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). In its judgement, the CJEU declared the EU-US Privacy Shield to be invalid and put a question mark on the use of standard contractual clauses (SCCs). This judgement shed light on the incompatibility of EU residents’ data privacy rights and the United States’ approach to data privacy.
In light of this ruling, the EU, and possibly the UK, will need to make significant changes to its approach to international personal data transfers (IPDTs) to the United States. Here are four possible ways in which the decision is likely to impact the EU-U.K. data flows –
- Immediate disruption of data flow between the U.K. and the US
- U.K.’s scope of manoeuvring to seek unrestricted data flows with the EU and the U.S. has become limited
- An EU adequacy decision for the U.K. has been rendered less likely, though not impossible.
- There may be an impact on the standard contractual clauses (SCCs) used to transfer data from the EU to the U.K. in the long-term, which could further disrupt the data flow
Understanding the EU and US Incompatibility that Drives Schrems II
Schrems II has declared the US’ approach to data privacy incompatible with the EU data protection law – but why?
According to CJEU, the US national security agencies have been collecting personal data of subjects, including that of EU residents, for “national security” reasons without providing significant oversight. The Section 702 of the US Foreign Intelligence Surveillance Act (FISA), and Presidential Executive Order 12333 (EO12333) allows the US government to collect communications data of non-US residents, even those not living in the US, in bulk.
However, these data collection powers are nothing new and have been in place even when the EU-US Privacy Shield was first negotiated. The question is – why such a concern now?
A possible answer could lie in the explosive manner in which the global economy has grown since 2008. Till date, the EU viewed government surveillance as an important driver of economic growth – the Safe Harbour and the Privacy Shield being testimonies to this fact. However, in its recent decision, CJEU has implicitly stated that the data protection rights of EU residents outweigh any economic advantages of having a free flow of personal data to the United States.
The Uncertainties that Prevail
While we may have the answer, or a clue, to ‘Why Now?’, there are still certain uncertainties that surround the Schrems II. To begin with, we are yet to contemplate the amount of data companies in the EU need to transfer to the United States. Understanding this would help us understand if there is any need at all for a debate around the competing interests of commerciality and data privacy.
On the other hand, it is also unclear the extent to which US companies require the personal data of EU residents. In the face of too much regulatory pressure, what does a transatlantic company do? Will working without any EU data would really be as unfeasible as it seems? Could they simply keep the data in Europe?
These and many other questions prevail. However, for the time being, they have been put off by CJEU’s decision to retain the effectiveness of SCCs. However, if SCCs will really prove relevant in the near future, is a different question altogether. Let’s understand why.
SCCs – Will they Really Save the Day?
The CJEU judgement in Schrems II criticizes the US law which is also applicable in the context of SCCs. Thus, CJEU suggested the use of additional measures to ensure the privacy of any IPDT, while maintaining that SCCs are a valid mechanism for IPDTs.
Let’s say companies make a genuine attempt to meet these additional requirements, it is difficult for private organisations to have the kind of technical capability to accomplish this. Here are some gaps that are visible in the initial dissection of these requirements –
1. No matter how well any data is encrypted, the US government’s classified capability to break encryption measures makes it practically invalid.
2. Evaluating and assessing data flows for such risks on a regular basis can prove to be expensive.
3. It is supposed that the US government uses selectors for their surveillance programmes, which sit within the encrypted transmission. This means no matter how well a message is encrypted, it could be intercepted.
4. Since companies are unable to choose cables that are used for their IPDTs, it is a challenge for them to select cables that are not susceptible to interception by the US government.
After the Schrems II ruling, it is difficult to understand how SCCs can practically be used for the transfer of personal data to the United States. Besides, there is the additional pressure on companies to carry out a review of the law in each country to which they export personal data if those transfers are pursuant to SCCs. This puts a huge question mark on the continuing use of SCCs. It is quite possible that many organisations will start bifurcating to isolate EU personal data within the European Union.
To help organisations manage the upheaval caused in the transAtlantic IPDTs, the European Commission and US Department of Justice have recently announced that they are reworking together on the Privacy Shield to make it compliant to the Schrems II. How fruitful these discussions turn out to be is something we would see in a matter of time.
Schrems II – Looking at it Through the Global Lens
The Schrems II ruling brings into scrutiny the adequacy decisions for countries like New Zealand and Canada, both part of the Five Eyes alliance with the United States.
However, this isn’t something newfound. These countries were under a similar kind of spotlight when the previous EU-US Safe Harbour arrangement was diluted. Back then, not much thought was given by the European Commission to its adequacy decisions for states such as New Zealand or Canada.
Following Schrems II, businesses must consider data transfers to these countries as a part of their risk assessments, and have appropriate documentation to support these transfers in compliance with GDPR’s accountability principle.
The Way Forward – What Businesses Can Do?
In this situation, the accountability seems to lie with companies to ensure they are in compliance with Schrems II. A good, and practical, starting point could be to evaluate what kind of data is sent to the United States: can they possibly send less or de-identified or aggregated data so that they don’t face the GDPR implications? Besides, companies could attempt to obtain written consents at least for European-based employees, which would allow them to continue data transfers.
To conclude, it wouldn’t be wrong to say that companies/organisations dealing with personal data would be among the most affected parties. This ruling is like an ultimatum for them to rethink their data transfer practices. They’d have to think of ways to maintain or reestablish means for a transfer without Privacy Shield. It’d now be their responsibility to facilitate lawful data transfers. At the moment, the best businesses can do is to proactively take some of the steps outlined above. This way, they might be in a better position to respond to any radical changes related to IPDTs that could be introduced in the near future.
Why Businesses need to care about ROPA – Record of Processing Activities for Data Security, Risk & Privacy?
Practical Information related to ROPA – Record of Processing Activities Creation