PrivacyShield

Considerations on the EU – U.S. Privacy Shield

Personal data privacy management across the Atlantic is among the core topics tackled by Think NEXUS project. As such, latest European decision on the EU-US privacy shield constitute an important development within its ecosystem. Following article details the context, consequences and reactions associated to this decision (extracted from Think NEXUS deliverable D1.4).

Court of Justice of the European Union’s repeal of the ‘EU-US privacy shield’

Personal data privacy management across the Atlantic is among the core topics tackled by Think NEXUS project. As such, latest European decision on the EU-US privacy shield constitute an important development within its ecosystem. Following article details the context, consequences and reactions associated to this decision (extracted from Think NEXUS deliverable D1.4).

The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 (Decision 2016/1250) and the Privacy
Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies that are certified in the US under the Privacy Shield.

The Framework includes:

  • Strong data protection obligations on companies receiving personal data from the EU
  • Safeguards on US government access to data
  • Effective protection and redress for individuals
  • An annual joint review by the EU and the US to monitor the correct application of the arrangement.

In the EU, the Privacy Shield is enforced by the European Commission (EC) DG JUST.

On the U.S. side, the EU-US Privacy Shield Framework, monitored by the U.S. Department of Commerce, provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organisations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations.

 
To join Privacy Shield Framework, a U.S.-based organisation [is] required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.

Court of Justice of the European Union’s repeal of the ‘EU-US privacy shield’

Latest Court of Justice of the European Union (CJEU) judgement in the NGI-related field induced a ‘considerable impact’ on EU-US internet related collaborations. Namely, judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems[1] issued on 16/07/20, basically repeal the ‘EU-US privacy shield’ as such, providing a new entry in the long history of data protection between both areas.

Background to the CJEU’s decision, M. Schems’ case

“Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As in the case of other users residing in the European Union, some or all of Mr Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/520 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’).
 

Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid. In his reformulated complaint, Mr Schrems claims that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 2010/87.

Taking the view that the outcome of Mr Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (‘the Privacy Shield Decision’).”

Namely, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield, while leaving the principles of data protection for non-U.S. third countries (namely, CJEU decision states the Court “considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid”).

Official reactions to the CJEU’s decision

On its Privacy Shield website, the U.S. Department of commerce states : “The [CJEU] issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel [2].”

Following the decision, EC Vice-President Jourová indicated that the Commission would abide and continue working with U.S. counterparts, stating that “[this] ruling provides further valuable guidance for us and we will make sure that the updated tool will be fully in line with it.” Didier Reynders, Commissioner for Justice, reinforced the idea that “[the EC] will work with the European Data Protection Board, as well as the 27 EU Member States. It will be very important to start the process to have a formal approval to modernise the Standard Contractual Clauses as soon as possible. We have been in an ongoing process about such a modernisation for some time, but with an attention to the different elements of the decision of the [CJEU].” He also indicated that “[…] the Court has invalidated the Privacy Shield. We have to study the judgement in detail and carefully assess the consequences of this invalidation”.

The European Data Protection Board (EDPB), essentially on the front line of GDPR’s implementation in the EU and with third country, pragmatically announced that the EDPB will study the judgment and its implications and seemingly intends to reassure stakeholders from both sides, while stating: “ While the standard contractual clauses (SCCs) remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.”

The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities.

“Unofficial reactions” to the CJEU decision, U.S. and EC’s comments vary from one side of the Atlantic to the other.

A TedCrunch article[3], exploring – thoroughly – the potential impacts on the privacy shield repeal’s impact on cloud applications ironically states : “Short of radical changes to U.S. surveillance law, it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny “new and improved” replacement didn’t even last five.”

Lewis Silkin LLP, a U.K. law company, interestingly states, on Lexology.com website[4], its “immediate advice for organisations who transfer data outside the EEA (and of course specifically to the US) as follows:

  • Don’t panic.
  • Review existing international data transfers and data transfer mechanisms (hopefully a lot of this was done as part of your GDPR compliance) and identify areas of current non-compliance.
  • Wait for further guidance from EU/UK regulators and the FTC (including the arrival of the new SCCs from the EC).
  • Hope the EC and FTC come together quickly and create Privacy Shield Mark 2 for US transfers.
  • Where you are relying on SCCs for transfers to jurisdictions outside of the EEA including the US, consider putting together papers as to why you believe those territories offer adequate protection to data subjects so in the unlikely event you do come under challenge, you have the all-important written narrative to show the regulator.”

In such context, Think NEXUS will organise, through its policy working group, a webinar dedicated to the Privacy Shield in September (date not confirmed at the time of writing; to be announced on the project’s website)

[1] Court of Justice of the European Union, PRESS RELEASE No 91/20 – Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, 16 July 2020, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf

[2] Privacy Shield Program Overview. https://www.privacyshield.gov

[3] Legal clouds gather over US cloud services, after CJEU ruling, available at https://techcrunch.com/2020/07/17/clouds-gather-over-us-cloud-services-after-cjeu-ruling/

[4] “The EU-US Privacy Shield invalidated in Schrems II: what does the European Court of Justice ruling mean?”. https://www.lexology.com/library/detail.aspx?g=d175626a-49c1-4eb5-9ee5-e39da301bc5b