EU-US Privacy Shield invalidation
Last week the Court of Justice of the European Union (CJEU) (in what is known as the ‘Schrems II’ judgment) invalidated the EU-US Privacy Shield mechanism for data transfers between the EU and the US. Given the invalidation of this transfer mechanism, this causes issues for Jersey organisations who may have been using the Privacy Shield to transfer personal data to the US, or use Processors based in the US.
In 2013, Maximillian Schrems, an Austrian lawyer and author, filed a complaint against Facebook with the Irish Data Protection Authority. The substance of the complaint was to stop Facebook’s Irish HQ transferring personal data to its US parent which, in his view, violated European data protection rules. His complaint centred on the PRISM surveillance program conducted by the US National Security Agency, which enabled the mass collection of internet communication data from US-based internet companies. Schrems believed that such cross-border transfers of personal data were unsafe and unlawful.
At that time, transfers between the EU and the US were conducted under the former ‘Safe Harbor’ scheme. Schrems’ complaint lead to the invalidation of the Safe Harbor scheme, and shortly thereafter another mechanism known as the EU-US Privacy Shield came into being.
In addition to the Safe Harbor, and more latterly the Privacy Shield mechanisms, another EU approved mechanism for cross-border transfers was also available. These are known as the EU Standard Contractual Clauses (SCCs) (EC decision 2010/87/EU). At the time of the first Schrems complaint, many companies switched to using SCCs for cross-border transfers to the US as an alternative mechanism to the Safe Harbor framework. However, Schrems also had concerns about the SCCs mechanism and the Irish DPA subsequently questioned whether SCCs adequately protected EU citizen’s personal data and referred the question to the CJEU asking for a ruling whether SCCs offered sufficient safeguards in respect of the processing of personal data.
The Irish DPA’s concerns were referred to the CJEU by the Irish High Court in May 2018 in respect of compliance with the EU Charter of Fundamental Rights. The Advocate General gave an opinion in December 2019 that SCCs were still valid, however would need to be assessed on a case-by-case basis to ensure they met equivalence with EU law. At the same time (although the question was not formally before the CJEU) the Advocate General raised concerns with regards to the Privacy Shield mechanism, specifically in relation to the level of protection provided to personal data in the US in light of its enforcement and intelligence activities. As a result, the CJEU also commenced a review of the Privacy Shield mechanism to assess its effectiveness against the requirements of the (by then new) EU General Data Protection Regulation (GDPR).
On 16 July 2020, the CJEU published its finding in the Schrems II case (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems), confirming the validity of SCCs for international transfers, but invalidating the Privacy Shield mechanism.
What does this mean for local businesses?
Standard Contractual Clauses:
Firstly, SCCs are not directly binding on Jersey-based businesses receiving personal data as part of a data transfer. However, their validity will be assessed on their ability to ensure compliance with the Data Protection (Jersey) Law 2018 (DPJL), which is based upon the provisions of the GDPR. As long as the levels of protection afforded in the agreement meet that standard, then the likelihood is the SCCs will be considered valid.
Similarly, any Jersey-based business using SCCs as a transfer mechanism to another Third country will need to ensure that the receiving jurisdiction can provide the same standard of protection as required by the DPJL. The receiving data importer will be expected to identify any areas or factors that may prevent them from complying with those standards. If that happens, the expectation will be that the Jersey-based company must suspend the transfer until such issues are resolved and the appropriate standards of protection can be afforded in the receiving jurisdiction.
The CJEU found that domestic laws in the US dealing with access and use of personal data by US authorities to the data they hold does not provide sufficient protection of that data in line with GDPR requirements. Their biggest concern was in respect of the lack of protection for non-US individuals who may be targeted by US Government surveillance programs, and the potential lack of recourse of those individuals against those US authorities.
The CJEU judgment means it is therefore no longer acceptable to use the Privacy Shield as a data transfer mechanism for transfers of personal data between the EU and the US. Given that the DPJL is based on the GDPR, and aims to offer an essentially equivalent standard of protection, the JOIC will unlikely approve transfers based on the Privacy Shield mechanism alone.
What should Jersey businesses do now?
For Jersey companies who transfer personal data to the US, or use the services of US-based processors, you will need to ensure the appropriate safeguards are in place BEFORE making any further transfers.
There are some steps you can take. These are our top 5 tips:
- Find another transfer mechanism. SCCs are still a valid transfer mechanism and may provide a suitable alternative for you if you can satisfy yourself that data subjects can be guaranteed an essentially equivalent level of protection in the receiving jurisdiction. For inter-group transfers, you could also consider Binding Corporate Rules, remembering that these must be approved in advance of any transfers by the JOIC.
- Map out your data flows. Critically examine all your flows and identify what safeguards you have in place for transfers to non-EU jurisdictions. Also assess the level of protection offered to personal data in the jurisdiction to which you are transferring the data; look at access to the Court system and the understand the ability to seek legal recourse if things go wrong and look at the availability and powers of any regulator/ombudsman. You may also want to consider whether the authorities in that jurisdiction can access the information and on what basis.
- Re-assess your Processing contracts. If you use a service provider/Processor in the US, make sure the processing contract reflects the appropriate mechanism and safeguards for transferring personal data. You may also want to consider changing your provider to one that can offer an adequate level of protection for data subjects.
- Keep an eye on the news. The European Data protection Board (EDPB) will very likely publish updates on the legality of data transfers where SCCs have been used. Keep in mind the CJEU position on SCCs may change!
- Provide additional safeguards. Try not to rely on one single mechanism for your data transfers. Instead, try using SCCs plus another mechanism to ensure you are offering the best protection you can to the personal data you are transferring.