The Broken Privacy Shield

It’s official — the EU Court of Justice has invalidated the U.S. Department of Commerce Privacy Shield Program in their landmark “Schrems II” case. To summarize, this means that any company that has been relying on the Privacy Shield Program to process the personal data of EU data subjects in the U.S. now needs to find another legal mechanism to continue processing it in the U.S. There are quite a few issues to unpack here, and the Lucid Privacy Group has distilled it down to the key points.

What caused this decision? Simply put — U.S. surveillance laws and limited redress rights of EU data subjects. This complaint stems from the 2013 Edward Snowden revelations, and the decision is not entirely surprising given other previous EU Court decisions. (Eg; Shrems I invalidating the U.S. Safe Harbor Program)

How do I know if this decision affects my company’s processing of EU personal data? Identify all of your data service providers, and review each agreement to see if there is a provision about their compliance with the U.S. Privacy Shield Program. Alternatively, you can review the Privacy Shield Participants List to see if your service providers are listed and then review their contracts.

What are my company’s other options? The GDPR provides for multiple other transfer options, albeit for most companies only the Standard Contractual Clauses are going to be relevant in the short term:

1. Move your EU data to the EU (or another ‘adequate’* country): Many cloud providers and larger service providers have anticipated this issue, and now enable customers to choose their hosting locations for EU personal data. Take note — choosing to migrate to another service provider just for this reason is not necessary due to the other options and explanations below.

2. Consent: While it is technically an option to simply ask EU residents if they would be amenable to their personal data being hosted in the U.S., consent must be clear, unambiguous, freely given and easily revocable, which is rarely an option for companies to implement. It would also be a monumental task to identify each EU resident in your database and establish a new consent for this type of processing, and if you have an easy choice of hosting locations — then it would seem easier to simply host the data in the EU.

3. Binding Corporate Rules: Multinational corporations can establish a set of policies and procedures that are endorsed by all EU member country data protection authorities (DPA). This is a long arduous process, and only a small set of companies have achieved it to date. Even so, there are some on this list that you may already be working with who have BCR’s in place, such as Box, Cisco, HP, NetApp, Oracle, Salesforce, Twilio and Zendesk.

4. Standard Contractual Clauses (aka; Model Contracts): Adopted by the European Commission, these agreements enable companies to follow a similar set of terms to enable processing of EU data in a country that is not deemed adequate by the EU. These agreement terms can not be modified (other than filling in the blanks), and are often attached as an addendum to a data protection agreement. You can download these agreement terms here.

If signing a contract addendum is possible, then why didn’t companies use this mechanism instead of relying on the Privacy Shield Program? U.S. companies signing these agreements shift their jurisdictional rights to the EU, and specifically whether their data protection controls meet the standards of any relevant DPA. It is then possible for any DPA to invalidate the SCC’s as applied to your service provider, and this Schrems II ruling emphasizes these DPA rights.

What happens to companies Privacy Shield Certification? Nothing. These companies have a binding agreement with the Department of Commerce, and must fulfill those terms until their renewal is lapsed or terminated. The FTC can continue to enforce these terms, and companies may rely upon them to provide reasonable assurances to corporate customers that they are responsible data stewards.

What if we don’t make any changes? In the short term, it is unlikely any DPA is going to enforce against companies who have not implemented alternative data transfer mechanisms. Between COVID-19 privacy issues and Brexit, as well as the tremendous need for the continued flow of data between the EU and U.S., it is unlikely any enforcement actions will be taken until ‘21.

What are my company’s next steps, and how can the Lucid Privacy Group assist?

1. Identify all of your EU personal data service providers. If you have not completed a data mapping or Records of Processing Activities (ROPA), then reach out to Lucid for a template or assistance completing one.

2. Review the Privacy Shield and BCR companies lists and cross-check with your existing contracts to determine where you may need to supplement your existing agreements. This is a non-legal administrative task, and Lucid can assist if you need support.

3. Execute Standard Contractual Clauses with any identified Privacy Shield listed companies. Since the legal terms in the SCC agreements can not be modified, this is also a non-legal administrative exercise that Lucid can assist with, which would include project management support to complete execution in a timely fashion.

4. Enhance your data protection agreements to include provisions that improve transparency and response procedures with governmental inquiries as well as security controls (eg; encrypting data at rest). While Lucid does not provide legal advice, we aggregate and can share common terms that you can consider implementing.

As we learn about DPA responses to the judgement and potential enforcement priorities, we’ll share more insights on the blog and in client alerts.

• The EU has established that certain countries data protection laws are sufficient to enable data transfers without any additional legal mechanisms. Notably, Argentina, Canada, Israel, Japan, New Zealand and Switzerland.