STRIKING DOWN OF EU-US PRIVACY SHIELD – WHAT DO ORGANISATIONS NEED TO DO TO MAINTAIN DATA PROTECTION COMPLIANCE?
Before you read this article, you may benefit from reading our article about the CJEU / ECJ’s landmark judgement (C-311/18, ECLI:EU:C:2020:559) striking down the EU-US Privacy Shield.
This judgement affects the transfer of personal data of EU Data Subjects to the United States and reviews the use of SCC (standard contractual clauses) and the EU-US Privacy Shield. The article will help you to understand the suggested actions within this article and where they come from.
Important: The information provided here is generic, given in good faith and is not and does not constitute legal advice. You should seek specific guidance and interpretation for your organisation, sector and specific issue.
Sections:
- What data transfers are unaffected by this judgement?
- What are the implications for your organisation?
- What does your organisation need to do to maintain compliance?
- Scenario 1: Our organisation DOES NOT use data processors or service providers outside of the EU/EEA.
- Scenario 2: Our organisation DOES USE data processors or service providers outside of the EU/EEA.
- Scenario 3: Our organisation uses an EU subsidiary data processor or service provider that has a US parent company.
What data transfers are unaffected by this judgement?
This judgement does not affect ‘necessary’ personal data transfers. Necessary transfers are those that have passed the ‘necessity test’[1] where personal data is required to be transferred to the United States (US) in relation to the purpose it is sent for e.g., an organisation purchases a product or service from a US organisation, a standard business transaction, sending an email to someone in the US, booking a hotel in the US, etc. These are necessary data transfers for the purpose of completing the business transaction and there are derogations under EU Regulation 2016/679 (the GDPR) article 49[2], further covered within the EDPB’s (European Data Protection Board) ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’[3].
This judgement principally related to transfers of personal data to the US however, the decisions and rulings within this judgement in our view, apply equally to any third country personal data transfers and as such, all transfers outside of the EU/EEA need to be reviewed on the same basis as suggested within this article below.
This judgement does not affect data that is not ‘personal data’ as that is out of scope of the EU GDPR.
Consumers individually are also permitted to send their personal data freely and knowingly to a third country e.g., visiting a website in a third country to book a hotel or buy a product however, they cannot send the personal data of others without those data subjects’ consent, that is a ‘freely given, specific, informed and unambiguous indication’[4].
Also, consumers can continue to use an EU subsidiary of a US parent organisation e.g., Google Ireland, Microsoft Luxembourg, Amazon Luxenberg, Facebook Ireland, etc. as the onus is on the EU subsidiary to ensure that ‘internal flows’ of personal data to the US are EU GDPR compliant.
What are the implications for your organisation?
All organisations processing the personal data of EU data subjects, where that personal data may be processed in a Third country which is not on the Adequacy List, are required to put in place under EU Regulation 2016/679 (the GDPR) to provide ‘appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available’[5].
‘Appropriate safeguards’ must be an appropriate legal mechanism such as ‘binding corporate rules’[6] (BCR) or Standard ‘Contractual Clauses’[7] (SCC) or in the case of the United States prior to 16 July 2020, the EU-US Privacy Shield.
The CJEU / ECJ landmark judgement C-311/18 striking down the EU-US Privacy Shield[8] means that where the Privacy Shield was relied on, and not every organisation will be aware they were relying on it, there will no longer be any protections for EU data subjects personal data transfers to the US in place, and these transfers will now be unlawful.
This means several things, all organisations should act promptly and decisively, documenting their actions; review all data transfers to see if any data transfers are affected, and not just third country transfers for reasons identified in Scenario 1 below; act on their review promptly.
In the event of a DPA (Data Protection Authority) / SA (Supervisory Authority) investigating an organisation on this, the documentation of actions and the speed with which they act will likely work in their favour due to the extraordinary circumstances arising from the judgement.
The failure of an organisation to review, and act on findings could lead to penalties under the GDPR and these would be in the higher bracket of €20m or 4% of global turnover for transferring personal data without a legal instrument[9], and there is no grace period[10].
What does your organisation need to do to maintain compliance?
In the following sections we will offer general guidance to organisations and it must be considered as such, given in good faith, as it cannot and does not constitute legal advice. We look at several scenarios and we suggest what needs to be consider as actions. A caution though, these are generic scenarios and every organisation should seek formal guidance specific to their situation, issues, and processing activities. We would be happy to talk through the issues with any organisation; talk is free. Use our ‘Contact Us’ page to get in touch.
Scenario 1: Our organisation DOES NOT use data processors or service providers outside of the EU/EEA.
If your organisation is based within the EU/EEA and contracts with service providers who process personal data on your behalf, you might think you have no work to do however, you could be mistaken.
The issue and risks now are, ‘who do your service providers or data processors use?’, e.g., do your EU service providers make use of low-cost cloud servers or sub-processors or data centres owned and operated by a US service provider for example? If ‘yes’ then these transfers could fall under US surveillance laws or FISA 702; this means that you have work to do as you need to look beyond your immediate service providers to ‘who they use’, and possible further if you identify issues – you must check and be certain as the onus is on your organisation as the controller. If ‘yes’, consider the points in Scenarios 2 and 3 below in addition.
Revisit and Review the following (at the minimum):
- Due diligence questionnaires with service providers, adding new questions about where the processing takes place, who do they use, do their service process in a third country, are those third country service providers subject to surveillance laws that have primacy over EU law, etc.
- Corporate risk register to ensure that any third country processing is identified as a risk on the register, and what mitigations (legal mechanisms) are in place to reduce the risk. Note, these issues may affect insurance risks and your insurance brokers will likely need to be informed to ensure continued coverage of the risk.
- Revisit DPIAs (data protection impact assessment) covering the processing identified above.
- Update Records of Processing Activities.
Important, if you find issues and your organisation’s personal data is being transferred outside the EU/EEA to a third country and/or including the US, you may need to inform your data subjects individually. You will need to take advice on this relating to the specifics and circumstances of the transfer.
Scenario 2: Our organisation DOES USE data processors or service providers outside of the EU/EEA.
If your organisation is based within the EU/EEA and contracts with service providers in a third country and/or including the US, requiring the processing of personal data other than that for a normal business transaction (as these would be ‘necessary’ personal data transfers out of scope of the GDPR[11]), you first need to:
1) Review the lawful basis for the personal data transfer, is it under the EU-US Privacy Shield? If ‘yes’, then this basis for transfer is likely no longer lawful. You will need to contact your service providers and:
1.a) Check if the service provider is subject to US surveillance laws or FISA 702 and:
1.a.1) If ‘yes’, you may need to cease the personal data flows, establish new service providers within the EU/EEA, and return all personal data to the new EU/EEA based service providers, as well informing the data subjects of this change and why. Document the outcome.
1.a.2) If ‘no’, ask your third country service providers if they use service providers (or sub-processors) for your personal data transfers and if they do, return to question 1.a. above and in this scenario, ask them to ask this same question of their service providers. Document the outcome. If the answer from their service providers is ‘yes’ and these ‘sub-processors / sub-service providers’ are subject to those laws, you will need to ask your primary service provider to find new sub-processors who are not subject to those laws. If these new sub-processors cannot be sourced and the processing situation remains, then you need to return to action suggested in question 1.a.1. Document the outcome.
1.a.3) If ‘no’ to questions 1.a. and 1.a.2. and none of your service providers or their sub-processors are subject to these laws, then you could likely make use of SCC[12] (standard contractual clauses) to return the personal data transfers to legal compliance with the GDPR.
Revisit and Review the following (at the minimum):
- Due diligence questionnaires with service providers, adding new questions about where the processing takes place, who do they use, do their service process in a third country, are those third country service providers subject to surveillance laws that have primacy over EU law, etc.
- Corporate risk register to ensure that any third country processing is identified as a risk on the register, and what mitigations (legal mechanisms) are in place to reduce the risk. Note, these issues may affect insurance risks and your insurance brokers will likely need to be informed to ensure continued coverage of the risk.
- Revisit DPIAs (data protection impact assessment) covering the processing identified above.
- Review and if necessary, replace the lawful basis for the personal data transfers as explained above.
- Update Records of Processing Activities.
Important, if you find issues, you may need to inform the data subjects individually. You will need to take advice on this relating to the specifics of the transfer.
Scenario 3: Our organisation uses an EU subsidiary data processor or service provider of a US parent company.
The first issue here is what are the personal data flows and where do they go. Your organisation ought to contact your data processor or service provider and ask:
1) What are the personal data flows, where is the personal data processed?
1.a) If the answer is, ‘the processing happens inside the EU/EEA’, then ask:
1.a.1) Does any personal data at any point leave the EU/EEA and is it transferred to their US parent?
1.a.1.i) If ‘yes’, ask if the US parent is subject to US surveillance laws or FISA 702.
A) If ‘yes’, you may need to cease the personal data flows, establish new service providers within the EU/EEA, and return all personal data to the new EU/EEA based service providers, as well informing the data subjects of this change and why. Document the outcome.
B) If ‘no’, you need to check the existence of BCR[13] (binding corporate rules) or create these, for internal data flows from the EU subsidiary to the US parent.
1.a.1.ii) If ‘no’, ask your EU subsidiary service provider if they use service providers or sub-processors within the EU/EEA for your personal data transfers and if they do, ask if their service providers or sub-processors are subject to US surveillance laws or FISA 702. Document the outcome. If the answer is ‘yes’ these ‘sub-processors / sub-service providers’ are subject to those laws, then you will need to ask your primary EU subsidiary service provider to find new sub-processors who are not subject to those laws. If these new sub-processors cannot be sourced and the processing situation remains, then you may need to cease the personal data flows, establish new service providers within the EU/EEA, and return all personal data to the new EU/EEA based service providers, as well informing the data subjects of this change and why. Document the outcome.
Revisit and Review the following (at the minimum):
- Due diligence questionnaires with service providers, adding new questions about where the processing takes place, who do they use, do their service process in a third country, are those third country service providers subject to surveillance laws that have primacy over EU law, etc.
- Corporate risk register to ensure that any third country processing is identified as a risk on the register, and what mitigations (legal mechanisms) are in place to reduce the risk. Note, these issues may affect insurance risks and your insurance brokers will likely need to be informed to ensure continued coverage of the risk.
- Revisit DPIAs (data protection impact assessment) covering the processing identified above.
- Review and if necessary, replace the lawful basis for the personal data transfers as explained above.
- Update Records of Processing Activities.
Important, if you find issues, you may need to inform the data subjects individually. You will need to take advice on this relating to the specifics of the transfer.
Notes
With special thanks to: Claude Saulnier for his review and feedback on the writing of this article.
[1] EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’ (<https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf>, page 5
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, n2. art 49.
[3] n1. section 2.2
[4] n2. art 4.11
[5] n2. art 46.
[6] n2. art 46.2(b)
[7] n2. art 46.3(a)
[8] Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems [2020] CJEU para 199
[9] n2. art 83.5(c)
[10] n8. para 134
[11] n2. art 49 (c) – (d)
[12] n2. art 28.6
[13] n2. art 47.
Note: This article cannot and does not constitute Legal Advice.
Want to Know More?
Data Privacy
When you Submit the enquiry form you will be sending us your Personal Data. To understand how we handle your data please read our Privacy Statement and Policy.
