By John Alec Stouras
The European Court of Justice (ECJ) handed down a ruling that may have just put the fork in the EU-US Privacy Shield. If you are a business that has customer data transferred between the E.U. and U.S., which many do, the privacy shield was an easy mechanism to transfer data and be in compliance with both U.S. and E.U. laws. Businesses and organizations transfer personal data by using the privacy shield certification. Now, that framework that allowed for the ease of data transfers has been voided. Now, we are in a bind because many companies are certified through Privacy Shield as an easy means of compliance. The privacy shield, as a means of a compliance framework, has been effectively buried. So, now companies have only a couple means left of moving data across the big pond, Standard Contract Clauses (SCC's), Binding Corporate Rules (BCR's), An Approved Certification mechanism or through a General Data Protection Regulation (GDPR) exemption (such as consent).
The reason is because the GDPR only allows the transfer of European citizen data to another country or international organization if: 1) The European Commission (E.C.) has made an adequacy decision on the country (the Privacy Shield fits here) 2) The controller or processor has provided appropriate safeguards and subject rights as well as legal remedies (SCC's seem to fit here, as with BCR's) and 3) Or a specific derogation (exemption) applies.
If you read the article headings later in the article, you will find out that I left out one type of mechanism, called adequacy finding, which is that the European Commission finds that the country provides adequate levels of data protection to individuals. The reason is that the U.S. is far from passing a federal privacy law on the books, and likely due to internal surveillance laws in the United States, the E.C. will likely not find that the U.S. is providing them "adequate levels of data protection" to individuals.
Therefore, lacking an adequacy decision, they have to make sure proper safeguards are in place per SCC's and BCR's. This doesn't just mean they are there; it means that the company has taken steps that the GDPR considers in compliance.
I. What Did Privacy Shield Effectively Do?
Privacy Shield effectively helped businesses comply with both U.S. and E.U. data privacy laws, by affording European individuals the right to have their data protected according to E.U. laws if your data was being processed by a company in the U.S. This privacy shield was brokered a little over four years ago.
II. What Was the Ruling?
The ECJ effectively ruled that the Privacy Shield Framework was invalid because the European Commission on the adequacy of the privacy shield was invalid. The reason is that the Privacy Shield did not, to their belief, actually limit access to data and protect the privacy of E.U. citizens because of U.S. surveillance laws and U.S. companies. Further, they stated that citizens couldn't take action against U.S. companies for privacy violations because of the problem above (the U.S. surveillance laws).
Though there is a bit of good news, SCC's are still valid under the ECJ ruling. SCC's are Standard Contractual Clauses for data transfers between E.U. and non-EU countries, and the E.C. has their decisions about them in a pretty little place right here.
III. How to Leave the Privacy Shield
Leaving the privacy shield framework as a business doesn't mean you can just do nothing, but it is not difficult either. As stated by Fennessy, a former Director of the U.S. Privacy Shield framework at the U.S. International Trade Administration, "anyone in Privacy Shield should be cautious in terms of how they step out of the framework . . . (t)here is a set process to withdraw from Privacy Shield if that is something they want to do, and their commitments under Privacy Shield remain binding and enforceable by the U.S. Federal Trade Commission." Go onto the Privacy Shield's website, as they'll provide an easy way of withdrawing safely here.
IV. Okay, So Standard Contract Clauses
Many companies are going to have to display that they are in compliance with the E.U. with the Standard Contractual Clauses. The words do not demonstrate precisely what they do. A Forbes article states: "The SCC aren't just words to paste into a contract. They are measures that must be reflected in technical architectures and business practices." Click here for more information. SCC's are clauses that mainly provide that data leaving the European Economic Area (EEA) are being protected in a way that is compliant with the GDPR.
The SCC's are perfect because they offer E.U. compliance. However, you still may need to act beyond just having the clauses as they set out how the data must be transferred and safely held. Small companies will need to use this route in the event Privacy Shield never comes back.
For giant corporations, many often use SCC's and Privacy Shield agreements, so their operations will not be substantially hindered. For smaller ones, such as yours, there are approved E.U. templates of SCC's that you can find. However, they have not been updated for a bit, so they may need to be worked upon. There are three sets that we will get into later.
To clarify, SCC's are not used if the person (the data subject) is sending you their data. Nevertheless, that still means their data is protected under GDPR protection obligations, and thus still have legal remedies under the GDPR in the event of a violation.
SCC's are useful for business to business/organization/I.C./consultant data transfers. Also, you need to know what kind of SCC you'll be using. It depends on two things: what the classification of the sender is (Controller or Processor), and if it's leaving the EEA. Let's start with the definitions.
GDPR Definition: Natural or legal person, authority, agency, body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
My Definition: The sender is a controller if they can decide what data they are collecting and processing.
This includes if they say they are a controller, if they are providing a service, if they are a consultant for you, if they hold a relationship with the people, they are sending data about, such as site visitors, patients, stockholders. This is by far non-exhaustive, but the one-line definition at the top will get you started on if the sender is a Controller.
GDPR Definition: Natural or legal person, authority, agency, or other body which processes personal dataon behalf of the controller.
My Definition: If the Sender is holding data only for you, so it provides a service to you and only listens to your orders, or on behalf of another company and acting solely on the orders of that company, they are a processor.
Note: In general, processors have more limited compliance responsibilities. For more information on this, click here to go to the U.K.'s Information Commissioners Office, which provides a fantastic quick start guide to GDPR determinations.
These two definitions matter, so you can correctly choose the template SCC. On the E.C. website, there are three sets.
Set 1: Transfer from E.U. Controllers to Non-EU/EEA Controllers
Set 2: Transfer from E.U. Controllers to Non-EU/EEA Controllers, the "Alternative set of SCC's" for those transfers it is generally considered to be a more pro-business then Set 1.
Set 3: Transfers from E.U. Controllers to Non-EU/EEA Processors.
You can find these sets here.
By now, you are asking, what about E.U. Processors or even data from processors? Well, you can only use SCC's if the sender is a controller.
V. Binding Corporate Rules
The BCR's are rules set by a corporation or organization regarding the transfer of intra-organizational personal data across countries. Essentially, it is a rule your company sets for those transfers, and if your company is transferring such data, it is a pretty great option to choose. Binding Corporate Rules are laid out in Article 47 of the GDPR. For them to be approved by the GDPR's supervisory authority, the BCR's first must meet five requirements:
1. BCR's are legally binding
2. Applied by and enforced by every member of the organization
3. Have expressly conferred data subjects' enforceable rights about their data.
4. Fulfill a whole list of specification requirements laid out in paragraph 2 of Article 47, including things such as:
- Application of general data protection principles such as data minimization
- Give data subjects the right to lodge a complaint and obtain redress
The definition of a Binding Corporate Rule per Article 1 of the GDPR is where it can get tricky: "BCR means personal data protection policies which are adhered to by a controller or processor established on the territory of a member state for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity." So, this means BCR's can cover multiple enterprises taking place in transfers. As found on Law Infographic, it shows how the use of BCR's are beneficial if there are constant business partners between communications, or you take place in a franchise. Click here for more information on the scope of joint activity.
It isn't an easy way to get compliance, but the benefits are there. One of them is you won't need as many contracts as you would under the SCC. There is constant agreement on the rules and only one area to look back to in an issue. Nevertheless, it does the one thing you want; it shows compliance with the GDPR.
Again, just like SCC's, you need to take steps to show GDPR compliance and not only have the BCR's on the books. You need to follow it.
VI. Okay, So GDPR Exemptions
As with anything, there are exceptions listed in Article 49 of the GDPR. So, let's go through them by letter and provide an example. The exceptions are likely narrower than you think because the GDPR is interpreted to be broad.These are going to be in my terms to make them as clear as possible and not so much legalese.
(a) The "Data subject" (natural person) agreed to it and has been informed about the risks.
(b) Transfer is necessary for the completion of a contract OR for forming a contract per the data subjects request.
(c) Transfer is necessary for the completion of a contract in the interest of the data subject and the controller/natural person.
(d) Transfer is necessary for public policy reasons.
(e) Transfer is necessary for legal issues.
(f) Transfer is necessary to protect data subject, where they are physically/legally incapable of consent.
(g) Transfer is made from a register according to E.U., or member state laws are used to provide info to the public AND which is open to consultation either by the public or a person who can demonstrate an interest. However, only to the extent that the consultation can be fulfilled within that particular case.
Now, there are even more limitations and exceptions to these exemptions. And, when navigating it all, it can get quite dicey. These exceptions are supposed to exist as a means to circumvent the other methods, but, as I'm sure you have surmised, doing these exemptions still has different risks.
Such as for (a), there are limitations on this point laid out in the GDPR as well. A customer likely wouldn't be privy to hearing that their information lacks the type of security and privacy the GDPR offers.
VII. Wait a minute, What About The SWISS!
Interestingly enough, the ECJ's ruling doesn't touch the US-Swiss Privacy Shield; it only invalidated the US-EU Privacy Shield. However, there is a lot of speculation that the Swiss will follow the E.U., which in all honesty, may make the situation less ambiguous and grey, than it already is.
VIII. Wait a minute, What About the BRITTS!
Interestingly enough as well, the British have a thing called the UK-GDPR, which is similar to the EU-GDPR with slight changes. It came into effect on January 31, 2020. However, that is a whole 'nother can of worms to open, because of the issues that have been causing with cross-compliance.
IX. So, Where Does That Leave Us?
Scrambling. Both businesses and lawyers alike will be having to do tough talks about privacy security, data autonomy, and privacy-by-design topics. Personally, it is a huge power move for the ECJ as they did this during a time where data flow is at its height, during a pandemic.
X. Help! I Need Somebody, Help!
With all the song references out of the way, you likely are going to need real legal assistance if you are performing cross-border data transfers for your business. Getting legal help from a large firm or a privacy boutique firm will be critical for being in compliance. Also, contact privacy professionals; the resources are out there to become GDPR compliant in a time where privacy shield has fallen into the abyss.
Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy. Learn more at thelucyreport.com
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact firstname.lastname@example.org.