Data protection and security in the area of e-commerce can be particularly tricky. Users are constantly leaving behind traces online – regardless of whether they are making online orders or simply surfing the web. Consumer data can be of great interest to businesses. It gives them the opportunity to advertise and make offers to potential customers. But which types of data are you allowed to store?...
From 2016 to 2020, the EU-US Privacy Shield regulated the transfer of personal data from the EU to the US. But in July 2020, the data transfer agreement was declared invalid by the European Court of Justice (Schrems II ruling), as it could not guarantee a level of data protection in line with the General Data Protection Regulation (GDPR), and prioritised US national security requirements. At least until new regulations take effect, US companies will be held more accountable and – if they want to avoid sanctions – must now be more actively involved than ever in the discourse on data protection. In a post-Brexit world, the UK will need a data adequacy agreement to transfer data beyond its borders.
- The current status: what’s next following the end of the EU-US Privacy Shield?
- What is the EU-US Privacy Shield?
- Contents and general conditions of the Privacy Shield
- Privacy Shield: the pros and cons
- The implementation of the Privacy Shield in practice
- Summary: a transitional arrangement lacking a solid foundation
The current status: what’s next following the end of the EU-US Privacy Shield?
Although the Privacy Shield has been invalidated, EU companies can still export personal data to the US. The European Commission decided that the EU standard contract clauses (SCC) – another commonly used instrument for data transfers – still makes it possible for data to be transferred internationally. While US companies certified under the Privacy Shield will now have to negotiate that transfer via SCCs, UK companies will be under the same scrutiny, and must provide assurances that data won’t be stored and used beyond its agreed use.
Binding corporate rules (BCRs) refer to a framework used by companies with international operations and branches, who use the rules as binding guidelines for regulating data transfers that satisfy GDPR privacy standards. BCRs must be approved by a member state’s data protection authority (DPA). The GDPR regulates the conditions and requirements for binding corporate rules in Article 47.
Following the Schrems II judgment, the use of standard contractual clauses is subject to stricter rules and conditions: EU companies must take additional measures and, in principle, carry out a case-by-case assessment of each data transfer. This poses an additional hurdle for the UK, which is already facing a very complicated process in terms of rearranging data protection agreements in light of Brexit. But to make sure that data can be transferred from the EU to the UK, the UK requires an adequacy decision from the European Court of Justice (ECJ). Without it, long-term disruptions to data flow between the EU and UK are highly likely.
Furthermore, standard contractual clauses are subject to review by European supervisory and data protection authorities. So if the legal situation in a third country prevents a data recipient from complying with the obligations under the standard contractual clauses, data transfers may be suspended or even prohibited. In other words, the whole process must be taken into account when examining the level of data protection. Throughout, it must, therefore, be guaranteed that national security and investigative authorities in the recipient country have no access to personal data.
In the current situation, case-by-case assessment is particularly difficult for small and medium-sized enterprises, as they don’t normally have the know-how and the means to verify whether there’s an adequate level of data protection in a third country. Moreover, the ECJ’s ruling doesn’t specify exactly what concrete standards are to be applied to individual case assessments or to possible extensions of standard contractual clauses.
Nevertheless, SMEs should actively get to grips with the topic. Legal experts advise small and medium-sized enterprises to take the highest precautions and to create solid documentation on their own data protection efforts. In doing so, companies will be better prepared for a possible legal dispute and will be better able to defend their actions in court once the Privacy Shield ends.
In the UK, further complications are on the horizon. While in the transitional withdrawal period from the EU, the UK is still bound by the EU’s regulatory requirements with regards to data protection. From January 2021, though, that’s about to change. Since the EU will be concerned that the UK will transfer data on the US as a ‘third country’, data transfers will be under more scrutiny than ever, and will probably be assessed on a case-by-case basis.
So, with a restricted data flow, how should UK businesses who collect data on EU citizens move forward from and what measures should they take to make sure they’re complying with all the formal aspects of standard data protection clauses? First and foremost, companies should examine all data flows, contracts, and relationships that involve the transfer of personal data from the EU to the UK. Once you’ve done that, you need to determine how the SCCs can be implemented to maintain that data flow. While some partners will be more willing to accept this new agreement to keep the business running as usual, others will certainly see it as a chance to renegotiate agreements in their favour. Experts suggest preparing for the worst, in other words, for the EU’s adequacy decision to go against the UK.
To put your business in the processbest possible position, it should be clarified whether your businessit will assume special contractual obligations in view of the current situation (e.g. increased monitoring and notification obligations). In the current situation, EU companies could also call on AmericanUK business partners and service providers to use all available technical means to optimizeoptimise data protection, for example the use of end-to-end encryption in video conferencing software.
EU companies who can do without data transfers, cloud services, and servers in third countries outside the EU will look for GDPR-compliant alternatives in Europe. In addition, developments in data protection law should be closely followed. In an FAQ document on the ECJ’s Privacy Shield judgment, European Data Protection Supervisor (EDSA) provides information on the current status to interested and affected parties.
What is the EU-US Privacy Shield?
The Privacy Shield was officially introduced in mid-2016 as the successor to the EU-US Safe Harbor Privacy Principles. The aim of the agreement was to protect the data of European citizens that is stored and processed by companies based in the US after being transferred to the US. This exclusively concerned personal data, which, for example, is collected to a large extent in e-commerce. Personal data includes telephone numbers, customer IDs, credit card or identification numbers, account data, the appearance of a person, or the address of EU citizens in combination with other individual data.
The validity of the Safe Harbor successor ended in July 2020 by a ruling of the European Court of Justice (ECJ). In the so-called Schrems-II ruling of 16.07.2020 the ECJ assumes that the security level required in the General Data Protection Regulation (GDPR) won’t be achieved when storing and processing personal data in the US. Once the UK leaves the EU, it can therefore be assumed that UK national security and surveillance will be under more scrutiny than ever, just like the US.
The General Data Protection Regulation (GDPR) was adopted by the European Parliament on April 14, 2016 with a broad majority and entered into force on May 25, 2018 after a transitional period of two years.
With the end of the EU-US Privacy Shield, the ECJ also annulled the adequacy finding of the European Commission, which repeatedly confirmed that the US had a sufficient level of data protection. The ECJ ruling was triggered by a lawsuit filed by Austrian data protection expert Maximilian Schrems, who had previously initiated the end of the Safe Harbor Agreement with a lawsuit. In this lawsuit, Schrems wanted to prohibit Facebook Ireland from transferring his personal data to the United States, filing a complaint with the Irish data protection authority. When the Irish High Court did not initiate proceedings, Schrems sued them. In the second instance, the Irish data protection authority referred the matter to the ECJ for legal review, which ultimately overturned the EU-US Privacy Shield.
Contents and general conditions of the Privacy Shield
The Safe Harbor successor was based on special data protection measures and standards that had to be met by the US. An important element was that US companies could certify themselves with the Privacy Shield. After a US company voluntarily submitted to the terms of the agreement, a review by the US Department of Commerce took place. Once a company had successfully completed the process, it was included in a publicly accessible database. The list included a total of 5,384 organisations at the end of the agreement’s validity.
The EU-US Privacy Shield guaranteed EU citizens comprehensive rights when personal data was transferred to certified companies in the US – and EU citizens could contact the companies directly to claim these rights. These companies had to respond to the citizens’ concerns within 45 days. The rights guaranteed in the Privacy Shield included:
- Right to information and disclosure
- Right of objection (an objection could be made against a data processing if necessary)
- Right to rectify inaccurate data
- Right to deletion of data
- Complaints/redress procedures were available
To enforce and protect their rights, EU citizens could also turn to an ombudsman within the US Department of State. The ombudsman should be independent of all intelligence services, investigate the concerns of private individuals, and provide information on whether applicable law is being observed in specific cases. However, the office was not filled until 2018 at the insistence of the EU. Manisha Singh initially served as ombudsperson, followed by Keith Krach in June 2019.
Alternatively, EU citizens could turn to their national data protection authorities, which could then contact the US Federal Trade Commission (FTC) directly for further clarification. If no other form of agreement could be found, then arbitration proceedings with an enforceable arbitral award acted as the final frontier. Additionally, all companies were able to act in accordance with the recommendations of European data protection authorities. Those companies that process personal data are obliged to do so anyway.
A prerequisite for the validity of the Privacy Shield was the adequacy decision by the EU Commission, which certified that the United States has adequate data protection standards for the storage and processing of personal data from the EU. The adequacy decision of 2016 was reviewed annually and renewed if the required level of data protection was met. The EU Commission and the US Department of Commerce conducted the review jointly with the involvement of experts. The procedure resulted in a publicly available report that was submitted to the European Parliament and the Council.
Despite these extensive data protection measures, mass surveillance was not completely ruled out. In six areas, which on closer inspection leave a certain scope for interpretation, the US was able to collect data on and for:
- Revealing activities of foreign powers
- Combating the proliferation of weapons of mass destruction
- Protection of US and allied forces
- Combating transnational criminal threats
Privacy Shield: the pros and cons
For EU citizens, the extensive rights to complain in the event of concrete breaches of data protection by US companies were among the benefits of the Privacy Shield agreement. An important component was also the purpose limitation principle: Data could only be logged and processed for a purpose that was clearly defined in advance and legally permissible. For US-based organizations, the stamp of approval of providing ‘adequate’ privacy protection was key for the transfer of data outside of the EU, as well as that Member State requirements were waived for participating companies.
However, the EU-US Privacy Shield was met with opposition from the get-go. Critics argued that the agreement was not far-reaching enough. There were complaints that the requirements of the European Court of Justice were not sufficiently met and that many discrepancies were only cosmetically concealed. Since the post of ombudsman was assigned to the Ministry of Foreign Affairs, critics felt that the agreement lacked institutional independence and that it conflicted with the General Data Protection Regulation (Article 52 (1) GDPR). They also criticized the fact that affected EU citizens could not take legal action against decisions of the ombudsman’s office.
Another main point of criticism was that the mass surveillance measures were not subject to a proportionality test and in doing so violated European law. The US was still the central controlling power and there was no evidence of an investigation by national supervisory authorities. The critics also missed the urgently needed control of large US online companies.
Due to these shortcomings, critics and experts already at that time assumed that the agreement would not stand up to the review by the European Court of Justice, and therefore did not represent a long-term, legally sound solution. The conspicuously small differences to Safe Harbor were repeatedly denounced. Many critics assumed that various data protection loopholes were de facto not closed by the Privacy Shield.
The implementation of the Privacy Shield in practice
Following the abrupt end of the Safe Harbor agreement, economic uncertainty was initially high. There were fears of sanctions (in the form of fines) if a review were to reveal breaches of data protection. In addition, the new provisions meant that companies would have to face time-consuming and costly changes in the area of data protection.
Many companies at that time switched to EU standard contractual clauses (SCC) or already used them as an alternative or supplement to the Safe Harbor agreement (such as Facebook). This practice increased during the transition period until the EU-US Privacy Shield was more widely enforced and was maintained throughout the validity of the safe harbor successor. According to a study by PwC 75 percent of US companies surveyed intended to use binding corporate rules to secure cross-border data transfers with the European Union.
The figures speak for themselves: In practice, many companies no longer wanted to rely solely on adata protection agreement that, like its predecessor, did not eliminate fundamental data protection problems and conflicts. With the end of the Privacy Shield in sight, annual validity checks served to increase mistrust. The alternative or parallel use of standard contractual clauses was also a reaction to the oftentimes slow implementation of key points of the Privacy Shield in the US, for example the long delay in filling the position of ombudsman.
Summary: a transitional arrangement lacking a solid foundation
Since the GDPR came into force, international data protection agreements have become much more difficult. That’s why the Privacy Shield remained a temporary transitional arrangement, which only provided a binding legal framework for international data transfers for a limited period of time. Following its failure, the Privacy Shield also transformed into a source of helplessness and uncertainty for the companies involved.
The fate of the Privacy Shield proves that fundamental data protection problems cannot be concealed in times of increasing digitalisation, but must be solved sustainably and with respect to the GDPR. Otherwise, long-term business models that operate on an international level and involve personal data will lose their foundation.
A growing awareness of data protection is steadily developing in the US and the UK. And an awareness of the importance of working together with the GDPR is also discernible, as seen with the California Consumer Privacy Act (CCPA). However, whether the high and entirely justified standards of the GDPR have yet to develop into a globally-accepted standard that can be transferred to all digital trading partners seems rather questionable in light of the highly divergent global views regarding data protection.
The GDPR, which is currently being supplemented by other EU data protection regulations such as the e-privacy regulation and directives such as the EU cookie laws, could increasingly prove to be a point of contention and an obstacle in international economic relations, especially following the Brexit withdrawal agreement.