It’s a big day for data protection. Max Schrems, a data protection activist, brought another high profile case against Facebook that was referred to the Court of Justice of the EU (CJEU) and today we got the long-awaited decision – the court declared the Privacy Shield framework to be invalid.
What was Privacy Shield?
According to the GDPR, transfers of personal data outside the European Economic Area are not allowed unless appropriate safeguards to protect the transferred personal data are in place. Next to the Standard Contractual Clauses by the EU Commission, the most popular mechanism to achieve that was the EU-U.S. Privacy Shield framework. The EU Commission and the US administration agreed on this framework in 2016, which allowed US companies to self-certify that they abide by the principles of the framework – rendering the concerned data flows between the EEA and the US legal. The supervisory authority on the US side responsible for ensuring compliance is the Federal Trade Commission (FTC).
Next to an arguable lack of enforcement from by the FTC, the existence of far-reaching US surveillance laws that allow mass surveillance of EU citizens led to criticism, alleging that the Privacy Shield did not offer adequate protection to the rights and freedoms granted under the GDPR. The CJEU now confirmed this view and invalidated the Privacy Shield Framework.
What does that mean?
With the Privacy Shield having suffered the same fate as its predecessor, the Safe Harbour framework – and by none other than the same man – it is now impossible to rely on this framework to legally transfer personal data from the EEA to the US. Instead, de facto, the only means to transfer the personal data is to make use of the Standard Contractual Clauses (SCCs) provided by the EU Commission (or a national supervisory authority). The validity of the SCCs has been confirmed by the CJEU in this decision and remains a globally applicable safeguard mechanism.
However, the court emphasised that the applicability of the SCCs needs to be evaluated in each case, particularly in regard to the presence of surveillance laws that render the SCCs inapplicable. In relation to US transfers, this means that data transfers to organisations subject to FISA 702 cannot rely on the SCCs. FISA 702 permits US authorities to monitor the data of electronic communication service providers (e.g. Facebook, Google, Amazon) of non-US persons reasonably believed to be outside the country without first obtaining a warrant. It is unclear what safeguards are capable of satisfactorily replacing Privacy Shield and the SCCs for such entities.
Does this affect my company? What should I do now?
Every company that is subject to the GDPR should go through their inventory of data controllers and processors with which they share personal data. Then:
- Find the ones located in the United States and check whether the agreement with such companies relies on the Privacy Shield. This may be a data processing agreement if it is between a data controller and data processor or a data sharing agreement in case of data transfers between a data controller and another data controller or joint controller.
- If you find data transfers that currently rely on the Privacy Shield framework, it is in your best interest to reach out to those providers and to initiate a discussion to change the agreement to rely on legally available safeguards, such as the SCCs.
- If the data controller or data processor is subject to surveillance laws similar to FISA 702, the SCCs cannot be relied on. If the recipient of the data is outside the scope of such monitoring laws you may be able to rely on the SCCs. Note that there are SCCs that you can sign with a controller and SCCs that you can sign with a processor. However, if the US company is subject to surveillance laws, currently the best course of action is to stop the data transfer and to change to a new provider in a country with less invasive surveillance laws.
Update: We clarified the position on SCCs as they relate to FISA 702 after publishing the original story.