American businesses are facing another data privacy headache. In July, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield framework, a mechanism that more than 5,000 US companies used to legally transfer data from the EU to the US under EU data protection rules. As with prior rulings, the foundation of the decision is that US government surveillance for national security purposes jeopardizes the security of EU citizens’ data.
Companies who relied on Privacy Shield are scrambling to find alternate ways to move data, despite the fact that those that were certified under the framework are still required to uphold their Privacy Shield commitments. But the fact that organizations can no longer rely on Privacy Shield is the less important part of the ruling.
Yes, it’s frustrating to have spent time, money and effort on compliance only to have the rug ripped out from under you. Let’s focus on the most pressing outcome of the ruling, which is CJEU's assertion that when using the EU Standard Contractual Clauses, and therefore other mechanisms for transfer, there is "an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned." This begs the question: Are most data flows out of the EU illegal now?
The Global Impact of the Privacy Shield Decision
This CJEU judgment focuses on US businesses, but influences data transfers to any country with surveillance laws that don’t provide adequate redress mechanisms to EU citizens. This potentially includes Canada, the United Kingdom, China, Russia and many other countries. China’s government surveillance regime, and its possible power over user data, is well known and has been in the news lately. For example, ByteDance, the Chinese owner of social media company TikTok, is in talks with Microsoft to sell its American operations because of security concerns.
Since 2015, with the invalidation of the Safe Harbor framework and the subsequent implementation of General Data Protection Regulation (GDPR), companies worldwide have worked hard to comply with EU privacy requirements. Having to constantly redo efforts costs time and money and leads to global uncertainty.
This new ruling and the obligations it puts on organizations is concerning, particularly for smaller companies. While constantly changing laws are problematic for businesses of all sizes, they are especially challenging for those without the resources or know-how to deal with complex compliance issues. With lower revenue due to the pandemic, many companies may be even less prepared than usual to spend resources on external counsel to perform case-by-case analyses of the local laws of each jurisdiction and their application to each data importer.
Remaining Data Transfer Mechanisms
While surveillance concerns are real, the ruling still leaves companies in a lurch. Technically, there are very few, if any, straightforward legal mechanisms left to transfer data out of the EU. Even the remaining options are fraught with uncertainty. All are currently under scrutiny and being called into question.
The data transfer mechanisms still available include:
- Standard Contractual Clauses (SCCs): As noted above, these are not an easy fix anymore. Data exporters, importers and EU data protection authorities all have greater obligations to review and ensure that the terms of the SCC can be honored and assess on a case-by-case basis whether countries importing data can provide adequate privacy protection, proportionality and redress. EU regulators advise if there’s any question, companies should suspend the transfers and consult their supervisory authority.
- Adequacy: Only a handful of countries currently qualify as having adequate levels of data protection under EU standards.
- Binding Corporate Rules (BCRs): These are policies for transfers within multinational organizations which are directly approved by EU data protection authorities in each case. Very few businesses have BCRs because they require expensive, multi-year creation and approval processes. Furthermore, they now explicitly require the same jurisdictional case-by-case analysis as the SCCs.
- Consent: Users can give explicit consent for specific data transfers, but consent is “difficult to rely on when addressing large volumes of data transfers.”
Related Article: Will There Still Be Marketing After GDPR?
The Good and Bad News From the Ruling
The good news:
- SCCs are still an option. It’s a positive that SCCs were not invalidated as well, which was a possible outcome.
- Data subjects are the clear winners, as they should be. Since their creation, the SCCs have been used primarily as a ‘set it and forget it’ option for companies who would sign them and then move on, without considering whether or not any of the parties subject to the clauses could actually implement their requirements in practice. The point of data transfer rules is to provide meaningful protection for people when their data is transferred, and the CJEU’s stated requirements for companies who use SCCs and other mechanisms means they must actually work to ensure their effectiveness. Businesses have just been handed a broken piano, and some will inevitably pull off the data protection equivalent of Keith Jarrett’s Köln Concert.
The bad news:
- Some companies, at some point, will be scrutinized for failure to properly implement data transfer requirements. Even if those decisions are made in good faith with best efforts, companies could still get in trouble and pay a price.
- Data transfers across borders will be harder in the next few years, amidst a larger global trend of stricter enforcement within the data privacy and regulatory sphere.
- The ruling now requires overworked and underfunded supervisory authorities to take on additional workloads to determine if companies now comply, when they’re already overwhelmed. How will they handle this additional workload and how will it affect companies with questions?
We’re All in This Together
With nascent European Data Protection Board (EDPB) guidance, not enough understanding and no consensus on a truly safe way forward, companies should crowdsource efforts to figure out what works. Everyone needs to focus, pay attention to guidance, and work with their vendors to ensure compliance. We all need to help each other through this new development, as it extends way beyond the privacy ship. As usual, the ruling leaves more questions than it answers.
Clarity and guidance will come in due course, but for now privacy professionals everywhere are left to decipher nebulous options and determine risk appetite. In other words, it's privacy business as usual.