This article is written by Shreya Jain, pursuing a Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Indrasish (Intern at LawSikho).
Table of Contents
It is an inevitable fact that if there is an existence of data, it needs to be safeguarded. Due to the emergence of technology and its rapid growth, it is impolitic to think that anybody can be in control of their data in daily lives without initiating prolific steps. By virtue of going online, we often share our details which may hamper our privacy directly or indirectly. To prevent and safeguard the rights and freedom of an individual, it is pertinent for governments to take a stand and prevent the fundamental right to privacy, irrespective of within the state or outside. The European Union has come up with a comprehensive and stringent law in 2018, which is called the General Data Protection Regulation. It regulates and applies to all the businesses that transfer data to third-party vendors of the European Union’s residents within or outside its borders.
For validation of data transfer between the EU and US, an agreement was signed between both the countries which were called safe harbour. Its purpose was to eliminate legal risks and regulatory liabilities and meet certain conditions while transferring data to third-party vendors in the US.
Who are third-party vendors?
When a data controller outsources the data processing activities to another organisation, the latter is called the data processor or the third-party vendor. The third-party vendors are entities that process personally identifiable information (PII) as per the instructions provided by the data controller. A few examples include Email Service Providers (ESPs), customer relationship management systems (CRMs), cloud service providers, etc.
Sharing data with third-party vendors is considered a high-risk area for privacy breaches. Article 28 of GDPR specifically mentions that controllers have to ensure sufficient guarantees from the processors to implement appropriate technical and organisational measures to carry out GDPR obligations. Therefore, there is a dire need for a business to engage in vendor risk management.
What is a privacy shield and when did it come into place?
To understand privacy shields better, it is essential to understand Safe Harbour (2001-2015) first. The US Department of Commerce and European Commission came up with guidelines for the protection of data on the basis of Directive 95/46/EC of the 24th October 1995. It primarily enables the transfer of personal data from the European Union to the US. The guidelines include information to individuals, the right to object to transfer or use of the data for other purposes then consented, explicit consent for sensitive data, the right of access or amendment. This adequacy mechanism was invalidated by the Court of justice of the European Union (hereinafter referred to as CJEU) on the 6th of October 2015, 15 years after it was enacted. It was done due to the complaints by Maximillian Schrems, an Austrian privacy advocate. He stated that Facebook is not holding up with the Directives and the Charter of Fundamental Rights of the European Union wherein data of EU residents were transferred to the US.
Privacy shield is the successor agreement of the safe harbour agreement. It was launched by the US Department of Commerce and the European Commission on the 1st of August 2016 and is also known as the EU-US privacy shield. Like the former agreement, it was too meant to incorporate the transfer of personal data of EU residents and for the smooth trade of businesses between both parties. It was like a replacement to the old failed safe harbour agreement and to amend the loopholes that existed prior to it.
Seven principles of privacy shield
The U.S.-EU Privacy Shield Framework
Seven principles were guaranteed under privacy shields by the U.S. companies while handling EU – governed personal data, which are as follows:
- Notice: it is pertinent to notify all the individuals about the usage of their personal data.
- Choice: all the individuals must be given the opportunity to opt in or opt out for disclosing or sharing of their personal data to a third party.
- Accountability for onward transfers: privacy shield has made organisations accountable for applying principles such as notice, choice, etc. in order to disclose personal data to third parties.
- Access: individuals must be provided access to their personal data which is being stored by the organisation.
- Security: security must be provided to data subjects by the organisations against loss, misuse, unauthorised access and disclosure.
- Data integrity: organisations must ensure data is genuine, reliable and relevant for the purposes it is being used.
- Recourse, enforcement, and liability: a recourse mechanism must be available to the individuals if they are under the impression that their data is being misused by the organisation.
Is privacy shield safe?
This question has again created a fuss in the EU-U.S. trade practices when Maxmillain Schrems, an Austrian privacy advocate, again lodged a complaint with the Irish Data Protection Commissioner (the Irish DPA) against Facebook Inc. established in the US. He stated that this agreement lacked sufficient legal protection with regards to usage of personal data of the European Union residents. When we compare the data protection safeguards in both the countries, the EU law will prevail over the US data protection law, hence, it was considered that adequate level of protection for data subjects is not ensured in the US.
It was criticised from the outset because the privacy shield had its own boundaries and was limited to the mercy of the companies to whether or not provide any privacy to the sensitive personal information of the data subjects. Another reason being lack of legal remedies provided by the government authorities for data subjects if any data breach occurs.
Major reasons for invalidation of the privacy shield under the Schrems II is its inability to protect EEA data subjects’ personal information from the US Government’s surveillance powers derived from national surveillance laws. Major arguments by Schrems were :
- First, it was alleged that SCCs (Standard contractual clauses) do not ensure an adequate level of protection for EU data subjects.
- The U.S. interferes with the data of the data subjects and puts a question on its adequacy.
- There is a fair chance that personal data of the EU data subjects might be breached due to being processed by the US government once the data is transferred. It does not have the similar level of protection as that of EU Data protection law as well as under the Charter of Fundamental Rights.
- The data transferred to Facebook U.S. is being available to certain U.S. authorities such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) for the purpose of monitoring programmes which are inconsistent with applicable EU law.
Therefore, compliance by the U.S. of EU-U.S. Privacy Shield in accordance with GDPR was in question before the CJEU in the Schrems case for the above-mentioned reasons. Henceforth, an additional data protection safeguard was required in place to transfer data cross-border of EU residents to the U.S. because Schrems II no longer was valid as per the CJEU ruling.
Significance of CJEU Ruling
The CJEU Ruling had a varied significance which includes long due concerns in relation to the adequacy of protection granted to personal data by the U.S. All the organisations within the EU which are intending to transfer the data to the US or other third world countries are also concerned in respect to legal certainties which become questionable as to which legal basis has to be used for transferring the data to other third countries.
Is it still valid in the present scenario?
No, EU-US Privacy Shield is not valid in the present scenario and the same was held in the case Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (also referred to as Schrems II). On July 16,2020, the Court of Justice of the European Union (CJEU) delivered the judgment stating that any businesses which continue using the said scheme would be considered as violating the law.
GDPR provides a strong level of data protection, therefore, businesses need to keep personal information confidential, and to give data subjects complete control of their personal data. However, the US does not possess such adequacy or a high level of data protection. The government has been given greater powers to get access to the data. Hence, it is invalid on the above-mentioned grounds. Businesses have to seek alternatives in order to keep their businesses running and to keep up with the current pace businesses are heading at.
What happens next after Schrems II?
After-effects of Schrems II were dealt with in three kinds of actions:
|Three kinds of actions after Schrems II
- One of the instant effects is the invalidation of the EU-U.S. Privacy Shield by CJEU. Companies that were privacy shield certified had to make a complete shift to other mechanisms for transferring the data. So basically, CJEU has dismantled the privacy shield but it is still in existence and U.S. regulators are continuing to administer it and enforce it. To be on the safe side, companies have to adopt a new mechanism to transfer personal data to avoid any legal consequences.
When GDPR came into play, it was directed that usage of SCCs requires data controllers to conduct assessments on an individual basis to have the same level of data protection as the one provided in the GDPR.
- Companies were asked to create and maintain a database of all the contractual agreements which were related to SCCs. Records were to be maintained for a short period of time, eventually, companies would have to make changes to their SCCs anyway in the future.
- For SCCs, newly signed or existing, companies were also directed to conduct “Transfer Impact Assessment” International transfer can be nasty and difficult to trace, therefore, such assessments would cover the nature and scope of transfers and also the potential risks connected thereto. These assessments are going to curb the risks likely to occur in the future.
- Advanced steps/clauses were also required to be taken to prevent potential risks which have high chances of breach if not taken seriously. Such potential threats also include technological protections. Therefore, encryption, password protected transfer, etc. are few examples which may be included in SCCs.
- Like SCCs, Binding Corporate Rules (BCRs) should also simultaneously undertake such steps to comply with the new scenario in the data protection field.
- Regulators must issue detailed and exhaustive guidance to assist companies in order for them to comply with the data protection law and safeguard themselves. To create an impactful transfer impact assessment and also to ensure the application and enforcement of Schrems II judgments.
- There is going to be a new SCC, and companies have to replace the existing one with the new one, which is more detailed, exhaustive, and covers mostly all aspects that may assist the companies to comply with the law.
- Increase in technological solutions, such as encryption, that are primarily designed to protect data.
In the long-term, even after taking all necessary steps, there are fair chances that the data shared outside the country is not completely secured and is not completely protected from foreign intervention. To safeguard the data, transfer impact assessment and other actions need to be taken, companies are expected to question themselves on sharing the personal data of EU residents internationally. Therefore, with the increasing pace in technologies, extravagant solutions are required for the companies to safeguard interest in the data subjects.
Few steps which could assist companies to comply with GDPR
- Adopt SCC with caution in case of international transfers
- Data exporters/controllers are responsible to verify if or not third-party vendors are providing the same level of data protection in the third country as the controllers are providing.
Therefore, utilizing a strong privacy governance tool can help in identifying whether current processes and practices align with the current requirements.
- Increasing the understanding of the GDPR’s transfer options like binding corporate rules and derogations
Binding Corporate Rules are used by the companies when data is transferred to other countries but within the same organisation and derogations for specific situations means derogations are provided such as transfer is necessary for public interests, for the performance of the contract, etc., when the adequacy decisions are not present. Therefore, to ensure a proper understanding of the restrictions and requirements of both options, whether the said options would work for the organisation or not needs to be considered.
- To implement a strong data privacy and governance program: such as NIST Privacy Framework
To determine a new data transfer mechanism, a company should replace privacy shields and collect, store, use, etc. building and maintaining a strong privacy and data governance.
- To stay updated
Getting the updates released by the European Commission and monitoring such developments for future guidance.
- Data controllers must explore EU Cloud Providers or data centres as data transfer options
CJEU Ruling invalidated EU-U.S. Data Transfers, however, did not impact the transfer through cloud service providers like Microsoft or Google, EU Data Centre. Here is the graph depicting active privacy shield participants:
Active Privacy Shield participants by industry
The entirety of this article is concerned with sharing of personal data of EU residents to the U.S. businesses, initially under the Safe Harbour agreement and eventually through a privacy shield. Both the agreements were struck down by the CJEU due to some loopholes wherein it was difficult for the U.S. to safeguard the privacy of EU Data subjects or to avoid any potential threats which may occur in the future.
In the given scenario, third-party vendors ought to maintain a similar level of protection which is formerly maintained by the data controller; however, in the U.S., only two states, i.e., Virginia and California have enacted data protection laws. Therefore, in order to safeguard trade-related relations with the EU, the U.S. must take appropriate actions. The U.S. is in dire need of federal data protection laws or maybe a state-wise data protection law, otherwise, if the present scenario continues, the U.S. is soon going to face some legal as well as economical consequences.
Moreover, the U.S. also has to attain clarity under which situations government authorities could access data of the EU residents, meaning thereby, if there is any clash between the two laws of the country, on data protection law, the U.S. must clarify which law would prevail over which one. Hence, to conclude, it is not safe to trust third-party vendors with the personal data of the EU residents unless it has been accompanied by some adequacy mechanism.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: