On 16 July 2020, the world was hit by a tremor of genuinely global proportions: The Court of Justice of the European Union invalidated the Privacy Shield, the system through which European companies are able to export personal data to the US in full compliance with the General Data Protection Regulation (GDPR).
On the other side of the Atlantic, the position of every company in the digital sector in Europe, the world’s second largest market, has now been called into question.,In Europe, opinions are divided along the usual fault lines in the field of personal data protection. Privacy advocates see this development as a wakeup call to the USA, the land of the National Security Agency and other immensely powerful government agencies. European start-ups and other supporters of digital sovereignty see an opportunity to gain market share. Yet most European companies are less positive, scratching their heads in terms of the action to be taken in order to remain within the law. It is a major issue: the transfer of personal data across the pond based on the sole and now defunct Privacy Shield may be sanctioned by up to 4% of annual revenue. In France, the Criminal Code sanctions the transfer of personal data outside the EU without guaranteed protection, with 5 years’ imprisonment and a fine of 300,000 euros.
At DiliTrust, we welcome this decision with open arms. It reinforces our commitment to the question of digital sovereignty. It also confirms the risks of data being transferred to the US.
THE PRIVACY SHIELD, A FRAMEWORK SOLELY COVERING PERSONAL DATA
Companies hold an increasing volume of data. With regards to the Privacy Shield, it must be stressed that only personal data is covered by the associated transfer restriction. The term “personal data” means any data which enables a person to be identified directly (e.g. surname, first name) or indirectly (e.g. ID number or set of identifying information which, as a whole, enables identification).
Accordingly, personal data may be any information relating to an employee in a contract (e.g. employment contract stating their position, job, salary, etc.), but also certain information contained in the minutes of meetings (board of directors, executive committee, etc.).
Certain information, however, notably data held in commercial court registers, is not treated as personal data. Although distribution of this data is supervised, it mostly escapes the provisions of the GDPR and is covered by the CRPA, the French code covering relations between the public and state authorities.
THE PRIVACY SHIELD, A SELF-CERTIFICATION MECHANISM
The Privacy Shield came into force on 1 August 2016, the date on which the EU acknowledged that the mechanism complies with the Data Protection Directive (subsequently replaced by the GDPR).
The Privacy Shield is a framework within which companies located in the US have been able to self-certify with the Federal Trade Commission (FTC). To this end, US companies had to commit to a certain number of data protection measures such that personal data received from Europe benefited from an adequate level of protection. The certification had to be reviewed annually and covered HR and non-HR personal data.
Every European company could then legally transfer personal data to any of the 5,500 signatories of the Privacy Shield. These signatories include all the leading lights of Silicon Valley (Google, Hubspot, Dropbox…) and those seeking to acquire this status. But it did not include operators such as banks, insurance companies or telecoms providers, as they are specifically excluded from the mechanism as they are not subject to the authority of the FTC.
The US provided the EU Commission with numerous guarantees concerning the “professionalism” of the mechanism. Commitments were given to effectively audit signatory companies and to issue sanctions in the event of non-compliance. Furthermore, European citizens could refer the matter to their national data protection authority should any signatory company fail to comply with its commitments. A cooperation framework was therefore established between the national European authorities and the FTC. Lastly, personal data could only be accessed by the federal authorities for reasons of “national security”. This last point is particularly important.
THE PRIVACY SHIELD: A DISPUTED MECHANISM
A similar framework, namely, Safe Harbor, was implemented in 2000 before being invalidated by the Court of Justice of the European Union (CJEU) in 2015 for reasons and in a context that were very similar to the recent decision. As we will see, the deterministic maxim applies under which “the same causes produce the same effects”.
In 2015, under the Data Protection Directive, the Austrian lawyer Maximilian Schrems petitioned the Irish Data Protection Commissioner (DPC) to sanction Facebook for having transferred personal data to its servers in the US. In support of his demand, the activist cited the absence of data protection legislation and the existence of mass surveillance practices covered by varying levels of supervision. The DPC did not respond favourably to this request on the grounds of Facebook being a signatory of the Safe Harbor. The matter was then referred to the Irish High Court by Maximilian Schrems to have this decision overturned. The Irish court then referred the matter in turn to the court of Justice of the European Union to obtain its opinion on this point of law under the preliminary ruling mechanism. In its ruling, the CJEU invalidated the Safe Harbor as providing an adequate guarantee of compliance with EU law relating to the transfer of personal data to the US.
Five years later, Maximilian Schrems issued the same demand to the DPC, who once again referred the matter to the CJEU. In the meantime, the Directive had been replaced by the GDPR, although it is significantly in line with the Directive regarding the transfer of data outside the EU. The Safe Harbor was also replaced by the Privacy Shield in 2016. Furthermore, Facebook supplemented its Privacy Shield certification with Standard Contractual Clauses, which we will examine in due course. Despite these changes to the legal texts and mechanisms, the CJEU has invalidated the Privacy Shield while clearly pointing the finger at current surveillance legislation in the US: “the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country […], are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” (Press release excerpt ).
Data privacy advocates were delighted to see the CJEU consign this mechanism to history. As they should, given that the objective of this legal body is to issue legal rulings independently of any economic or political considerations. The same cannot be said of the European Commission over the past four years. Since its inception, the Privacy Shield has been widely criticised, commencing with the body bringing together national data protection authorities such as CNIL (Commission Nationale de l’Informatique et des Libertés) in France and notably the European Data Protection Board (EDPB). In its second report on the Privacy Shield, the EDPB condemned the superficial supervision of the FTC and the mass surveillance systems. For its part, the European Parliament has always demonstrated its hostility towards these provisions. This was reinforced in 2018 when the US passed the Cloud Act, extending the potential for surveillance by the public authorities. Whispers in the Commission’s corridors suggested regret at having underestimated the number of public authorities with access to the data (ranging form from the DEA, the police and stock market authorities right down to local sheriffs). However, every annual report issued by the Commission indicated frustration regarding the good intentions of the US. But it would have been difficult to take a backwards step without full repudiation or risking retaliatory measures by the Trump administration. Max Schrems neatly summarised the situation in 2016: “The Privacy Shield is the product of pressure exerted by the US and big tech, not the fruit of any rational approach or reasonable considerations.”
TRANSFER OF DATA TO THE US: THE FOUR REMAINING OPTIONS
Now that European companies can no longer depend on the Privacy Shield, what can they do if they wish to continue to work with their US service providers?
We must first of all remember that transferring personal data outside the EU in order to execute a contract is still GDPR-compliant. For example, imagine that you are organising a corporate seminar in the US. You will need to send a list of your employees to local tourism operators, such as hotels and transport companies. The transfer of your employees’ personal data is lawful in this case as it is “necessary” for the contract. But the contract must contain provisions ensuring that the data is protected by your service provider. Whether European of otherwise, it is a general obligation under the GDPR.
The solution may also be technical in nature. You can request your service providers to host your data in Europe. All the big US operators already offer this option, including Google, Microsoft, AWS, etc. But it is also true that, in certain cases, the related migration comes at a high cost and disrupts technical roadmaps. Furthermore, particular attention must be paid to ensure that none of your company’s employees or the transfer of data outside the EU is constituted by the simple fact of making said data accessible from a country outside the EU. This situation frequently occurs in the case of companies using an offshore call centre, with every employee logging on via the client’s systems hosted in Europe.
Lastly, and above all, the CJEU stated that it is possible to protect data via contractual means with a US partner. In its decision, the court reiterated the validity of using Standard Contractual Clauses (frequently abbreviated to “SCCs”). SCCs are clauses drafted by the European Commission (see Commission decision 2010/87 of 5 February 2010). They include a wide range of personal data protection obligations similar to those set out in the GDPR. Accordingly, you should verify the existence of SCCs in your contracts without delay. Big tech companies and other leading US operators inserted such SCCs in most of their contracts well before the CJEU ruling. Smaller US companies can therefore be expected to contact their European clients with these proposed amendments to their contracts. But you must make sure that the proposed SCCs are the right ones. There are, in fact, two categories of SCC: those for data transfers between two data controllers and those for transfers between a data controller and a processor. Lastly, in order for these additions to be legal, the clauses must be incorporated into the contract in full, without any changes.
But the keenest lawyers and DPOs are somewhat perplexed at the CJEU’s logic of invalidating the Privacy Shield yet validating the SCCs. In its decision, it justified the validity of the SCCs as they oblige the European data “exporter” and the US data “importer” to verify upstream the level of data protection provided by the third country in question. In the absence of protection legislation, the importer must inform “the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.“ Having stated that US law provides inadequate protection, it is hard to believe that the CJEU gives free rein to companies to assess the situation… we are forced to observe that legal uncertainty remains even if SCCs are employed. The simplest solution that remains is to favour collaboration with European operators. This is why DiliTrust has decided to host client data in France in the interests of optimum confidentiality.
In conclusion, the supervisory authorities of each member state will be meeting in the near future in order to issue guidelines for adapting to these new configurations. The discussion points are expected to include clarification of company deadlines for transferring to SCCs and how they are to be employed. Lastly, supplementary to the legal dimension and the technical implications, this ruling appears to present an opportunity for European companies to ask themselves what role they wish to play in an issue just as important as data protection, namely European digital sovereignty. Certain European companies and their IT departments favour technological performance over sovereignty. We hope that these developments will have raised awareness about the importance of local hosting and will see them follow in the footsteps of many CAC 40 companies that have already opted for sovereign solutions.
The end of the Privacy Shield highlights the risks posed when transferring personal or other data to the US and calls for hosting to take place in Europe. This requires European companies to implement a number of measures without delay. DiliTrust can provide you with the expertise and fully compliant and secure solutions to support you during the process.
- Identification of data transfers with the US.
- Among these transfers, identification of those based on the Privacy Shield.
- Classification of transfer categories: between two data controllers or between a data controller and a processor, in order to determine which standard contractual clause needs to be applied.
- Work on the standard contractual clauses.
- Work on the Binding Corporate Rules (“BCR”, Art. 47 GDPR) for international groups.
- Classification of governing bodies’ sensitive data.
- Safeguarding the sensitive data of boards of directors and committees.
- Protecting access to European companies’ strategic decisions, M&A processes, patents, technical processes, etc.
- Facilitating the future work of governing bodies and legal teams.