Data transfers: life after the fall of Privacy Shield

The invalidation of the Privacy Shield – the mechanism for legal data transfers between the European Economic Area and the US – has created a headache for in-house counsel. Neil Hodge reports on what’s changed and what companies can do to comply with the new legal environment.

Back in July the Court of Justice of the European Union (CJEU) ruled that the key methods used to transfer data safely between the European Economic Area (EEA) and the US were either invalid or unsafe.

In a surprise judgment, the CJEU decided that the EU-US Privacy Shield, which allowed – on paper, at least – some 5,300-plus validated companies safe access to EU citizens’ data without fear of legal reprisals under EU privacy law, was invalid. The decision came after Austrian privacy campaigner Max Schrems raised concerns that US snooping laws allowed the government access to EU citizens’ data, thereby violating the EU’s General Data Protection Regulation (GDPR).

The Court ruled that while two other principal mechanisms for transferring data – namely standard contractual clauses (SCCs) and binding corporate rules (BCRs) – remain valid. But it warned that neither offer 100 per cent protection.

EU data protection authorities (DPAs) subsequently made clear that the legal burden for companies to check that data transfers outside of the EU were safe rested with them alone – a position few in-house lawyers would welcome.

Furthermore, neither the CJEU nor the EU’s data privacy regulator, the European Data Protection Board (EDPB), recommended any alternative, safe method by which organisations could continue to transfer data between the EU, US and other third countries. Indeed, both the EU and US have admitted that any replacement for the Privacy Shield is a long way off.

Since few DPAs issued any guidance on the issue, in the four months following the Schrems judgment, companies had been anxious that they may be in breach of the GDPR by continuing to transfer data across the Atlantic.

Sudden upheaval

One lawyer, who declined to be named, believes that the CJEU and European DPAs should be criticised for invalidating the Privacy Shield without putting new rules or procedures in place to enable companies to transfer data safely. ‘Ruling that trans-Atlantic dataflows may be unsafe and that they may violate GDPR is like waking up one morning and telling the world that driving has been banned. How could companies reasonably comply with such an immediate decision?’ he says.

Dr Marc Hilber, Senior Vice-Chair of the IBA Technology Law Committee and a partner at German law firm Oppenhoff, says that the immediate scrapping of the Privacy Shield has been a huge problem for companies and has created legal and compliance concerns for in-house lawyers.

‘It is simply not possible for any organisation to change the ways it transfers data overnight,’ says Hilber. ‘In a large multinational company, for example, it can easily take up to two years or more to change the IT infrastructure to meet the regulatory demands now imposed by the CJEU judgment.’

The fact that European data protection authorities have not allowed a ‘grace’ period to give companies time to comply has been a real concern for businesses, he explains.

Hilber also points out that different DPAs have different appetites for enforcement. ‘There is no doubt that some data protection regulators are going to interpret the Schrems judgment more strictly than others and are more prepared to take action against companies for non-compliance or against those organisations that have been slow to make any changes or even an assessment of what they think they need to do.’

He highlights that in Germany there are 16 regional data protection authorities. ‘Some are very pragmatic, but some have already given signals that their tolerance for non-compliance is lower than others,’ he says.

Help is at hand

To help solve these predicaments, on 11 November the EDPB published its list of ‘supplementary measures’ that companies can take to ensure that the personal data that they transfer outside of the EU still enjoys the same level of protection that data subjects would expect in Europe.

At the same time, the EDPB adopted recommendations on the ‘European Essential Guarantees for surveillance measures’, which provide organisations and their in-house legal and privacy teams with guidance on how to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a ‘justifiable interference’.

‘The protection granted to personal data in the EEA must travel with the data wherever it goes,’ says the EDPB. However, the guidance also makes it abundantly clear that ‘in the end data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on.’

The EDPB says that if the European Commission has already decided that the third country where the data is being transferred is ‘adequate’, organisations will not need to take any further steps.

However, only twelve countries have qualified so far. The EDPB also says that it is still possible to make occasional and non-repetitive transfers under the derogations provided for in Article 49 of the GDPR, but adds that this mechanism cannot be used for standard data transfers.

The EDPB’s six-step guide says that organisations should map all transfers of personal data to third countries to ensure that the data is afforded an essentially equivalent level of protection wherever it is processed, while also verifying that the data they transfer is adequate, relevant and limited to what is strictly necessary.

Organisations should verify the transfer tool they are relying on to transfer the data (such as SCCs and BCRs), and also assess if there is anything in the law or practice of the third country that may undermine the data’s level of protection (compared to GDPR).

The EDPB wants organisations to conduct and document their due diligence to reinforce the fact that they will be held accountable for their decisions. It also wants organisations to re-evaluate at ‘appropriate intervals’ the level of protection afforded to the data they transfer to third countries, as well as monitor if there have been (or will be) any developments that may affect it.

If organisations fail to do so themselves, EU data regulators will suspend or prohibit data transfers in those cases where, following an investigation or complaint, they find that an essentially equivalent level of protection cannot be ensured.

Organisations should also identify and adopt ‘supplementary measures’ to bring the level of data protection up to EU standards if their assessment reveals that the third country legislation impinges on the effectiveness of the transfer tool they are relying on (which may differ from country to country).

In those cases where no supplementary measure is suitable, companies must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. If they believe that the supplementary measures may prove problematic, or if there is a risk that supplementary clauses attached to SCCs may result in a lower level of data protection, organisations should consult with their leading supervisory authority for guidance.

According to the EDPB’s guidance, supplementary measures include encrypting data, ensuring that data sent to third countries is used only for backup purposes (and not to access/share it), and pseudonymising data so that the personal information can no longer be attributed to a specific data subject.

Other measures deemed suitable are using split or multi-party processing so that no single organisation can access all identifiable personal data other than the data exporter; ensuring the data subject can be regarded as a ‘protected recipient’ for medical or legal purposes under the third country’s laws; imposing additional contractual measures on data importers (companies based in third countries) to ensure that they do not create ‘back doors’ that would allow the data to be accessed/shared in contravention of the GDPR; and ramping up internal processes and procedures to document the number of requests for access to information from public authorities, and recording the legal reasons why they have requested access.

Organisations could also set up teams of IT, in-house legal and data privacy experts based in the EU who can handle requests for data transfers to third countries and ensure that they are processed in line with GDPR – or deny such requests where necessary.

The EDPB has also outlined a couple of scenarios in which it believes there are no effective supplementary measures. These include transferring unencrypted data between parts of a company that has operations in the EU and in third countries where the level of data privacy is not adequate, as well as transferring personal information to a cloud services provider in a third country that needs access to unencrypted data to execute operations or is based in a country where ‘access to the transferred data goes beyond what is necessary and proportionate in a democratic society’.

Fears remain

Experts have said that the EDPB’s guidance is useful, though not overly prescriptive. Furthermore, since the EDPB has made it clear that those organisations exporting data are ultimately responsible – and legally culpable – for any unsafe transfers, compliance fears remain.

‘It is very difficult for a company’s IT department or in-house legal team to determine whether a third country offers the level of protection that the EU wants,’ says Hilber, who believes that there are still serious issues that companies need to address. ‘While some countries have surveillance laws that quite obviously breach European expectations of data privacy, it can be difficult to assess some countries’ surveillance laws in the same way.’

For example, says Hilber, the UK – which has the prospect of leaving the EU without an adequacy agreement before the end of 2020 and becoming a third country – has strong surveillance laws and shares intelligence information with Australia, Canada, New Zealand and the US as part of the Five Eyes alliance. ‘As a result, are companies supposed to treat the UK in the same way as they would with the US?’ he asks.

Since the EDPB has issued guidance for organisations to follow, Hilber believes that companies should make plans to comply, if they have not already done so. A starting point, he suggests, is to ‘check whether the IT services you are using through third-parties are compatible with the EDPB’s guidance and the CJEU judgment. Only keep the core services you need and get rid of those services that are merely “nice to have”.’

Companies should also carry out an inventory of what data is being housed outside of the EU and consider whether any of it – or all of it – should be re-housed in the EU, he adds.

Organisations should further consider the amount of data – and types of data – that they are transferring to third countries. ‘Conduct a data inventory to establish where data is being transferred to, and what kinds of data is being sent,’ says Hilber. ‘Categorise it in terms of importance. Is this data sensitive? Does it all need to be transferred or accessed all the time? Can it, or should it, be encrypted?’

He explains that asking more questions about the kinds of data being transferred and the reasons for doing so will help companies make a better, more in-depth assessment about the safety of data transfers and whether they comply with GDPR.

Some believe that there are likely to be many organisations that will find it onerous to comply, but warn that companies should take steps to implement the measures quickly. Peter Rossi, co-founder of data protection software vendor InfoSaaS, says that the immediate problem is that the guidance is ‘new and subject to different interpretation’.

‘Clearly, the onus on individual organisations to undertake such a comprehensive assessment on EU-US transfers of personal data – without clear, unambiguous guidance – is a huge ask,’ he says.

Rossi recounts that he’s heard recently of some companies considering the introduction of transfer impact assessments, but questions how these will ever be waterproof, without full and accountable transparency of the organisational, procedural, technical and personnel controls of the recipient organisation.

‘The elephant in the room remains foreign governments – especially the US – and their pressure on tech giants to make backdoors available, which means this is a really confusing matter,’ he says.

Approaches to enforcement

Gary LaFever, CEO and General Counsel at data privacy specialists Anonos, says there is a ‘high’ chance of regulators and privacy groups taking enforcement action against companies that are not already implementing the steps that the EDPB is recommending.

‘Privacy advocacy organisations and regulators alike are pushing hard for companies to get into line with privacy laws, and enforcement action is likely to increase as guidance makes clear what is required,’ he says.

‘If an organisation has not completed the steps and suffers a notifiable breach related to an EU-US transfer, they will find any subsequent regulator investigation much more uncomfortable,’ agrees Camilla Winlo, Director of Consultancy Services at privacy experts DQM GRC.

However, the prospect of a fine is only part of the story, says Winlo, since forced compliance could be as costly for some organisations. ‘It is most likely that, unless there is a breach, the regulator would compel the organisation to comply with the requirements rather than issue a fine,’ she explains.

‘But organisations should bear in mind that such enforcement is not pain free,’ adds Winlo. ‘It means that the organisation needs to rectify the omission at pace, and usually also means that other planned projects have to be put on hold or lose funding altogether.’

Maria Wilhelm is Head of Department for Europe at the Commissioner for Data Privacy and Freedom of Information, Baden-Wuerttemberg, which was the first EU DPA to issue guidance when the Privacy Shield was declared invalid. She says that organisations need to demonstrate that they are taking steps to review their processes and have documentation to show what due diligence they have carried out to assess the risks and to establish what needs to be done.

‘It is important to show a data regulator that there is a data management strategy in place to map the kinds of data being transferred and to categorise the sensitivity of that data,’ says Wilhelm.

‘It is also helpful for companies to show that they recognise that additional measures may be necessary to protect that data, as well as to indicate what these measures could be,’ she adds. ‘Regulators want evidence that organisations have considered the legal and practical issues and that they are already taking steps to prevent risk and harm.’

From a regulatory standpoint, Wilhelm says that the first step in any compliance programme should be for organisations to know their transfers and to inform customers, users and commercial partners on the new legal situation and the requirements of the CJEU’s judgment.

In this context, she says, it should be made clear that changes to privacy notices, contracts and user agreements are likely to take place. She adds that standard contractual clauses should also be updated to take into account the CJEU’s judgment, as well as the EDPB guidance issued in November, and to communicate these changes properly, as well as the reasons behind them.

‘It is important to tell people why changes are being made and how they might be impacted by them,’ says Wilhelm. ‘Transparency is key.’

Organisations should tell customers, users, and contractual partners that data processes need to be reviewed – and some of them changed – because the EU’s highest court has ruled that data exporters are responsible for ensuring that personal data that is transferred to third countries enjoys the same level of protection as in the EU, suggests Wilhelm.

‘If such protection cannot be guaranteed – for example, due to a country’s surveillance laws – then companies are responsible for preventing such data from being transferred, which may result in some services being discontinued,’ she says.

While the EDPB’s guidance may provide useful protocols for organisations to follow, serious challenges remain that should be on an in-house counsel’s radar. Firstly, data regulators expect immediate steps towards compliance and identifying potential problem areas where transfers may prove risky. Secondly, it is up to organisations – not data regulators – to decide if a third country is unsafe to transfer certain forms of data to. And thirdly, it is very clear that organisations are wholly responsible for the transfers they make and are therefore fully liable for any breaches of GDPR.

As such, organisations – and their in-house legal and assurance functions, specifically – may have their work cut out ensuring the levels of data privacy needed.