For many organisations, the international transfer of data is essential to running their business and the recent CJEU ruling (also called Schrems ruling) will have had a significant impact on organisations operating outside the EEA. This is the first in a series of blogs exploring what this decision means for you.
BH Consulting will analyse the recent guidance given to businesses by the European Data Protection Board (EDPB) and translate it into practical recommendations your business must consider today to remain GDPR compliant. The blog series will be followed by a free webinar with our data protection experts. To register please follow this link.
On July 16, the European Court of Justice (CJEU) ruled that the agreement to allow data transfers between the EU and the United States, known as Privacy Shield, is no longer valid.
This decision did not come out of the blue. It dates back to 2013 when Edward Snowden revealed the PRISM programme (where the US NSA accessed data from big tech e.g. Facebook, Apple, Google, and Microsoft among others). Following this, the privacy campaigner Max Schrems complained to the Data Protection Commission (DPC) that Facebook was helping the NSA conduct mass surveillance of EU citizens. The DPC rejected his complaint. As a result, Schrems took his case to the Irish High Court – where it was referred to the CJEU.
Does the court ruling affect the current data transfer practice?
Flows of personal data to and from the European Union are governed under Chapter V of the General Data Protection Regulation (GDPR) “Transfer of personal data to third countries or international organisations” (Article 44 – 50). The GDPR allows the transfer of personal data from the European Economic Area to any third country that the EU deems adequate, or requires the controller/processor to put in place “appropriate safeguards”.
The court ruling has not changed that. What changed is that the judgement made clear that the adequacy of protection in the US is no longer valid. That is because of the U.S. surveillance law in Section 702 FISA and EO 12333, which can give the US authorities access to any transferred data.
Wait a minute, what’s FISA now?
FISA section 702 specifically “allows the government to obtain the communication of foreigners outside the US, including foreign terrorist threats”. For example, the program allows the government to obtain the emails or phone calls, without a warrant, of a non-American target. Most commonly used US data processors, such as cloud providers, fall under Section 702 FISA. Certainly the market leaders such as Microsoft, Google, Amazon, Apple etc. fall within the U.S. FISA rules either because they are U.S. companies or conduct systematic business in the U.S. EO 12.333 is potentially even more far-reaching because it permits “surveillance in transit”, such as the accessing of data that is not properly encrypted while it passes over transatlantic cables.
This only affects the US, right?
Wrong. The European Data Protection Board (EDPB) and other supervisory authorities continue to examine and assess the judgment of the CJEU. The EDBP states that the CJEU’s judgment has implications beyond the use of the Privacy Shield as a transfer mechanism.
“In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country.”
How long do I have to make changes?
There is no grace period given; transfers on the basis of the EU-US Privacy Shield are now illegal. You need to apply a different framework in order to transfer data. The EDPB states: “Should you wish to keep on transferring data to the U.S., you would need to check whether you can do so under different conditions”.
Are you serious? What should I do now?
- Ensure any new contracts signed do not reference Privacy Shield for personal data transfer
- Update your standard DPA template to remove any references to Privacy Shield
- Identify all international transfers of personal data to countries that may be deemed inadequate, such as the US, Russia, or China
- Determine what mechanism your current transfers rely on (e.g. Privacy Shield/ SCCs)
- Engage in a risk assessment of the circumstances of each transfer including the following:
- What is the purpose of the transfer?
- Is the data protected in transit and at rest (using encryption, anonymisation etc.)
- How sensitive is the data?
- How much data is transferred?
- What is the frequency of the transfers?
- Review your existing Data Protection Agreements (DPAs) in place with relevant processors and confirm:
- What actions they are taking to comply with the CJEU decision
- Whether they are subject to obligations under relevant US surveillance laws such as FISA 702 (most cloud providers will be subject to them) or if they work with partners that may fall under FISA 702 or EO 12.333?
- If the DPA does not specify, clarify if the processor has implemented additional safeguards to secure the data
- If necessary/possible, consider negotiating the inclusion of specific statements in the active DPAs to forbid transfers to the US or the inclusion of specific safeguards.
- Identify if there are any alternative processors in the EU that you could consider.
- Assess your options for each transfer:
- Identify if any conditions under Article 46 and/or 49 may apply
- Necessity of transfer: can the transfer be stopped or changed?
- Can you consider a provider in the EU, taking account of the overall business impact?
- Have you identified any supplementary safeguards you could put in place, e.g. encryption in transit, encryption at rest?
- Other actions:
- Update privacy statements to remove any references to Privacy Shield
- Ensure a process is in place to perform due diligence on any new/pending suppliers/vendors
- Review ongoing guidance from DPAs and the EDPB.
REGISTER FOR OUR WEBINAR:
Lawful processing after Schrems II – a practical guide for continued compliance. Register here.
Key Takeaways included:
• Overview of the surveillance landscape and risks
• CJEU decision – what it is and what it means to your business
• Recommendations – how to ensure continued compliance
• New Standard Contractual Clauses (SCC’s) – what are key changes and when do companies need to implement them
• Supplementary measures – what are they and where do they apply
• Transfer Impact Assessment – what is it and how to get started
Wait, there’s more
The next blogs in our series will provide further details on the following areas:
Blog 2: Explores the EDPB recommendations on effective ‘supplemental measures’
Blog 3: Explains the new standard contractual clauses and how to implement them
And if you haven’t had enough….
There are useful FAQs about this area from the European Data Protection Board and from NOYB, Max Schrems’ privacy rights group. You can also find supporting documents about the case here. Politico has covered what it might mean for European data transfers.