It’s official — the EU Court of Justice has invalidated the U.S. Department of Commerce Privacy Shield Program in their landmark “Schrems II” case. To summarize, this means that any company that has been relying on the Privacy Shield Program to process the personal data of EU data subjects in the U.S. now needs to find another legal mechanism to continue processing it in the U.S. There are quite a few issues to unpack here, and the Lucid Privacy Group has distilled it down to the key points.
What caused this decision? Simply put — U.S. surveillance laws and limited redress rights of EU data subjects. This complaint stems from the 2013 Edward Snowden revelations, and the decision is not entirely surprising given other previous EU Court decisions. (Eg; Shrems I invalidating the U.S. Safe Harbor Program)
How do I know if this decision affects my company’s processing of EU personal data? Identify all of your data service providers, and review each agreement to see if there is a provision about their compliance with the U.S. Privacy Shield Program. Alternatively, you can review the Privacy Shield Participants List to see if your service providers are listed and then review their contracts.
What are my company’s other options? The GDPR provides for multiple other transfer options, albeit for most companies only the Standard Contractual Clauses are going to be relevant in the short term:
- Move your EU data to the EU (or another ‘adequate’* country): Many cloud providers and larger service providers have anticipated this issue, and now enable customers to choose their hosting locations for EU personal data. Take note — choosing to migrate to another service provider just for this reason is not necessary due to the other options and explanations below.
- Consent: While it is technically an option to simply ask EU residents if they would be amenable to their personal data being hosted in the U.S., consent must be clear, unambiguous, freely given and easily revocable, which is rarely an option for companies to implement. It would also be a monumental task to identify each EU resident in your database and establish a new consent for this type of processing, and if you have an easy choice of hosting locations — then it would seem easier to simply host the data in the EU.
- Binding Corporate Rules: Multinational corporations can establish a set of policies and procedures that are endorsed by all EU member country data protection authorities (DPA). This is a long arduous process, and only a small set of companies have achieved it to date. Even so, there are some on this list that you may already be working with who have BCR’s in place, such as Box, Cisco, HP, NetApp, Oracle, Salesforce, Twilio and Zendesk.
- Standard Contractual Clauses (aka; Model Contracts): Adopted by the European Commission, these agreements enable companies to follow a similar set of terms to enable processing of EU data in a country that is not deemed adequate by the EU. These agreement terms can not be modified (other than filling in the blanks), and are often attached as an addendum to a data protection agreement. You can download these agreement terms here.
If signing a contract addendum is possible, then why didn’t companies use this mechanism instead of relying on the Privacy Shield Program? U.S. companies signing these agreements shift their jurisdictional rights to the EU, and specifically whether their data protection controls meet the standards of any relevant DPA. It is then possible for any DPA to invalidate the SCC’s as applied to your service provider, and this Schrems II ruling emphasizes these DPA rights.
What happens to companies Privacy Shield Certification? Nothing. These companies have a binding agreement with the Department of Commerce, and must fulfill those terms until their renewal is lapsed or terminated. The FTC can continue to enforce these terms, and companies may rely upon them to provide reasonable assurances to corporate customers that they are responsible data stewards.
What if we don’t make any changes?…
Canada, U.S. sign international guidelines for safe AI development
Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended g…