Transferring personal data to the US after the Schrems-II judgment? Everything you need to know to avoid legal risks

The Austrian Max Schrems has once again been succesful in one of the many privacy lawsuits that he has regularly conducted over the past years. The consequences are significant this time. After the “Safe Harbor” system had already been brought down, the “Privacy Shield” has now also been brought to an end by Schrems (on perfectly logical grounds, by the way). 

The “Privacy Shield” between the EU and the US ensured that personal data could be exported securely and in compliance with GDPR to the United States by European companies. Many US cloud services, apps and software tools have relied on the Privacy Shield to offer their services to European customers in a legally compliant manner.

But as it now shows, Privacy Shield itself is not compliant with European data protection laws and the ECJ has now put a ban on the whole system.  

What does this mean for your company? Read all about it in this article.  

SchremsII_privacy_shield

Transfer of personal data outside the EU?

Transferring personal data to persons or companies outside the European Union is in principle not allowed under GDPR. The European legislator assumes that countries outside the EU (or rather the EEA, which is the EU, expanded with Norway, Iceland and Liechtenstein) cannot necessarily offer the same level of data protection as the level that exists in Europe under GDPR. Therefore, personal data may only be transferred outside the EEA under very specific conditions.   

First, there is a (very short) list of “safe” countries, which are expected to provide a similar level of protection based on their own legislation. This list includes a number of British Commonwealth countries, as well as Japan, Canada, Argentina and Israel.  

In order to transfer data to a recipient in a country that is not on this list, one can do so on the basis of two systems. 

When it comes to transfers within a group of companies, so-called “Binding Corporate Rules” can be drawn up internally. BCR’s are internal regulations that must be approved by the competent Data Protection Authority and that have to guarantee the safety of data exchanges within the group. 

If one wants to transfer data to a company that does not belong to the same group, such as a cloud provider, an external software developer, an offshore call center, etc … on the other hand, one must ensure that an agreement is signed with the recipient in which a whole series of guarantees is explicitly provided. The European Commission has created Standard Contractual Clauses for this purpose that can be copied one-to-one in such an agreement.

Anyone who transfers personal data and cannot fall back on one of these legal constructions, is at risk of incurring very high fines.

Privacy Shield?

Many technology companies are located in the United States and there is therefore a lot of personal data export from the EU to the US. However.  Since data protection laws in the US do not offer the same “adequate” level of protection as the stringent requirements set by GDPR in the EU, the US has never been shortlisted by the EU as a “safe country”.  

In order to ensure that American companies could continue to trade with partners in the EU, a different and specific system for data exchange between Europe and the United States was set up many years ago. That system was successively called the Safe Harbor system and later the Privacy Shield and prevented US companies from having to enter into Standard Contractual Clauses with their customers in the EU whenever data had to be passed on to them, for example because they were stored or processed on their servers. Safe Harbor and Privacy Shield ensured that US companies provided an adequate level of security for personal data if they met a number of strict conditions and were certified in the US. It was in other words not the American legislation itself, but the safety level offered by American companies that was considered “adequate”.      

The first version of this system, Safe Harbor, was successfully attacked in 2015 by Max Schrems, who believed that US companies could never guarantee an “adequate” level of security for personal data because US law grants far-reaching rights to US intelligence services that allows them to monitor and analyze personal data. This complaint ultimately resulted in the Safe Harbor system being declared invalid and replaced by a similar system called the Privacy Shield.

With regard to the validity of that Privacy Shield, the European Court now quite rightly says that this regulation in its turns still cannot provide a level of protection equivalent to the level of protection that exists within the EU. Again, this is due to the extensive interference of US intelligence services, which systematically and widely monitor data from emails and cloud storage services based on, amongst others, the Foreign Intelligence Surveillance Act or Executive Order 12333 or the Presidential Policy Directive. The Court of Justice therefore now declares the Privacy Shield to be invalid.

What does this mean for you?

This decision has far-reaching consequences. After all, a lot of online service providers from the US rely on the Privacy Shield to legally process personal data of their European customers. The whole system is now shattered with one stroke of a pen and thousands of American companies no longer meet the minimum conditions to store or process personal data of European citizens. This concerns, for example, cloud storage services, hosting services, all kinds of online tools for online marketing, CRM, accounting packages, ERP, but also, for example, local software developers, consultants, call centers, etc …  

Strictly speaking, all of a sudden and overnight, European companies are no longer allowed to exchange personal data with their American partners. If they do so anyway, they will expose themselves to immense fines and if any data breach should occur at such a non-compliant partner in the US, the European companies involved may also be held liable for all damages following from such a data breach, in addition to the aforementioned fines. 

An additional problem: Brexit

Not only data export to the US under the Privacy Shield is problematic, by the way. By the end of 2020, an equally serious legal problem will arise for European companies that export data to the United Kingdom. After all, if there is no Brexit deal by the end of 2020, the UK will from then on become a “third” country, which for the time being does not have an adequacy decision by the European Commission and to which personal data can therefore no longer be automatically exported.

In other words, British companies will be in the same situation as American companies by the end of this year: they will have to conclude data export agreements with their European customers on the basis of the Standard Contractual Clauses of the European Commission, failing which European companies will no longer be allowed to cooperate with them. 

The solution

Fortunately, the Court ruled that the system of Standard Contractual Clauses is not invalid. The solution is therefore clear: European companies must ensure that all cooperation with US partners, which were based on the Privacy Shield as soon as possible to be replaced by an agreement based on the Standard Contractual Clauses of the European Commission … 

The Commission has worked on modernizing those standard clauses, which go back to 2010 and are no longer GDPR-compliant. It has been waiting for the Schrems-II case to be resolved before releasing them officially, but we can now expect the updated clauses to be made public soon. Anyone who relied on the old clauses in the past may also have to update their agreements in the near future …

What exactly should you do?

  1. Look out for new guidelines from your local Data Protection Authority, the EDPB and the European Commission.
  2. In the meantime, do an internal audit of your pending agreements and watch out for:
    • Data transfer to US partners previously covered by the Privacy Shield
    • Data transfer to UK partners previously located within the EU
    • Data transfer to any other country based on the old Standard Contractual Clauses 
    • Data transfer that is subject to binding corporate rules and that involves data transfer to the US. The ECJ does not mention Binding Corporate Rules, but they are a form of “appropriate protection” under Article 46, so the general comments on the need to review the law of the importing country may also apply here. Guidance from supervisory authorities on this point would be particularly welcome.
  3. Assess for each partner whether the existing framework is still sufficient
  4. Provide a new data export agreement where necessary based on the soon to be announced Standard Contractual Clauses.
  5. Keep in mind that transfer of data outside the EU is only possible if necessary and choose preference for European partners 
  6. Take into account the need that the European Court of Justice also imposes to assess the “appropriate” nature of local legislation, even if Standard Contractual Clauses (or Binding Corporate Rules within a group of companies) are used.  
  7. So -ideally based on a Vendor Assessment List- check the following points:
    • Which country personal data is transferred to?
    • Whether government authorities in that country could be entitled to access the data?
    • Is the data encrypted or tokenized during transport?
    • Whether, as GDPR requires, in addition to Standard Contractual Clauses or Binding Corporate Rules, sufficient safeguards have been taken by the recipient to make up for the lack of data protection in his or her country. The data exporter has a duty to ensure “appropriate safeguards”, especially as regards access by public authorities to data. If the (European) data importer may be required to submit data for inspection to his or her government, he cannot meet the requirement of an “adequate level of protection and must notify the data exporter in advance. This is a huge problem for the US in particular because of the previously cited intelligence legislation… In that case, the data exporter must immediately stop any transfer.
  8. If necessary, stop working with partners who are unable or unwilling to meet the required conditions. The potential impact on your business is far too great to take risks …  

Are all data transfer to the US illegal from now on?

This judgment places a time bomb under just about every data transfer to the US, by the way.  After all, almost all European data is transferred to the US via underwater fiber optic cables at the bottom of the ocean. The EHJ notes that the American NSA has systematic access to these cables and can collect and analyze data even before it arrives in the U.S. 

The ECJ rightly says that this de facto means that personal data is never “secure” in the US and can never be “processed with the minimum safeguards … and as a result, the surveillance programs based on these provisions cannot be considered as limited to what is strictly necessary“. The ECJ further notes that: “In those circumstances, the restrictions on the protection of personal data that arise from United States national law regarding the access to and use by the United States government of such data transferred from the European Union to the United States States are transferred States, which the Commission has assessed in the Privacy Shield Decision, are not defined to meet requirements that are substantially equivalent to those required by EU law … “.

In other words, this means that US law itself is incompatible with the EU’s minimum data protection requirements. Since all data sent to the US via a submarine cable appears to be sensitive to access by the NSA, it is difficult to see how a data exporter could conclude that his data is sufficiently protected by the recipient in the US. It remains to be seen how the various Data Protection Authorities and the EDPB react to this … 

Questions about data export under GDPR or need help with an audit of your current contracts?

Feel free to call or email us. Our team is happy to assist you. You can reach Bart Van den Brande at +32 486 901 931 or at bart@siriuslegal.be