On July 9, the Court of Justice of the European Union (CJEU) -- the highest court in Europe -- heard arguments challenging the validity of two key elements of the General Data Protection Regulation (GDPR) that went into effect in May 2018: standard contractual clauses (SCC) and the Privacy Shield framework.
The SCC is a collection of three standard template contractual clauses, approved by the European Commission, that exist between data exporters and importers. Currently, two of these clauses exist to address transfers to controllers (those organizations that determine the purposes and means of processing personal data); the third covers transfers to processors (those organizations processing personal data on behalf of controllers). (For more information on these definitions, see my first GDPR article for No Jitter, “
Get Ready for GDPR.”) Privacy Shield allows the lawful transfer of personal data from companies within the EU to U.S. businesses that self-certify compliance with certain privacy principles. The U.S. Department of Commerce oversees Privacy Shield.
However, the crux of the problem -- and it’s a biggie -- is that American and EU standards with respect to privacy rules aren’t compatible. And I don’t mean they’re a little out of sync, but incompatible. Ouch.
The GDPR not only became effective across EU member countries, but in any country where personal data belonging to any EU citizens, regardless of present location, originates. In other words, any personal data belonging to a citizen of the EU that is stored, processed, or retained anywhere in the world since May 25, 2018, is subject to the GDPR’s reach. (The phrase “personal data” is defined as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier,” and includes an obviously broad array of information from government-issued ID information to IP addresses.)
The underlying tenet of the GDPR rules is that personal data belongs to the person and that third parties are obligated to respect that ownership. Within the EU, privacy is considered a human right, which creates a much higher standard for the protection of individually identifiable information than exists in North America and many other places in the world. Sadly, the European Commission has deemed but a few assessed countries as providing adequate protection pursuant to the GDPR requirements. As such, the EU-based exporter of data must identify and use a relevant compliance mechanism to ensure that the transfer doesn’t breach GDPR. And that’s before the data actually goes anywhere. Once it leaves the boundaries of the EU, the obligations kick in.
The Current Case
Max Schrems is an Austria-based privacy advocate and lawyer who filed a complaint in 2013 with the Irish regulator against Facebook’s Irish subsidiary claiming that his personal data -- along with that of other EU citizens -- had been transferred to U.S.-based Facebook servers for processing in violation of his rights. The Irish regulators referred the case to the CJEU, which sided with Schrems in 2015, claiming that the existing Safe Harbor framework in which U.S.-based entities self-certified that they were providing sufficient protection in fact did NOT meet the EU-required levels of protection for confidential information.
One of the most compelling elements of the “Schrems I” case is that the American legislation not only allowed for the transfer of generalized content information, but also provided no legal remedies for residents of the EU to access, edit, or delete their own private information. One other critical kicker -- as a direct result of Edward Snowden’s revelations, it became clear that, according to an
article in the Irish Times last week, guaranteed “EU protections didn’t apply to national security agencies conducting mass surveillance [that] indiscriminately swept up data from technology and social media companies.”
As a result of the Schrems I decision, the European Commission created the SCCs, putting in place a more rigorous regulatory structure than previously existed to “legitimize” the international transfer of personal data. At the same time, the European Commission and the Swiss Administration worked with the U.S. Department of Commerce to “provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.” The result,
Privacy Shield, was to replace the former self-certifying Safe Harbor provisions that had been in place up to this time.
Schrems II, argued most recently by the CJEU this month, both extends and refines the issues that exist between EU-to-U.S. data transfers. In this most recent case, Schrems, on his own behalf and on behalf of millions of EU citizens, has challenged the validity of both the SCCs and Privacy Shield for failure to provide the security that EU citizens see as a fundamental right. Again, the essential problem is the underlying incompatibility between the EU’s near-absolute privacy protection of its citizens and existing American laws regarding both the retention of -- and government access to -- such personal data. More specifically, though, another question before the CJEU is whether the alleged power of entities (read: NSA, CIA) within the U.S. to carry out mass surveillance of EU citizens’ data without providing meaningful legal redress by such individuals violates both the letter and spirit of the rules.
While the case names Facebook as a party, the implications of a decision will be much more far reaching than just the social networking giant. The decision will change how EU citizens’ data is to be protected, and how American -- and other -- enterprises must handle, store, and process the data that each receives.
If the court invalidates one or both of these essential provisions, businesses on the western side of the Atlantic will need to be ready to spring into action addressing what will amount to a seismic shift in how data that originates on the eastern side of the Atlantic and makes its way westward for processing is handled and protected. I’m getting a bit ahead of myself, but the court’s determinations could have a profound effect on how business is done, particularly because if the CJEU decides to invalidate either provision, its determinations will not only be effective immediately, but also be retroactive, thus requiring immediate changes in process. The risk of non-compliance allows for potentially crippling financial penalties as defined in the original GDPR.
Planning for the Unknown
An initial decision in the Schrems II case is expected within six months. Although appeals are expected, the bottom line remains that enterprises having access to personal data belonging to EU citizens should be planning now to change course, if necessary, if and when the courts determine that Schrems is right and that neither the previously approved SSCs nor the Privacy Shield framework are doing the job.
In the event that the court invalidates either the SSCs or Privacy Shield -- or both -- the next likely step, which any company that has personally identifiable data from an EU citizen should be planning for now -- is creation of
binding corporate rules (BCRs) that EU-based entities must be compliant with when transferring personal data outside the EU. As spelled out by the European Commission, BCRs must include all general data protection principles and enforceable rights to ensure appropriate safeguards for said data transfers. In addition, they must be legally binding and enforced by every member of the group. EU companies must submit BCRs in advance to the appropriate data protection authority within the EU.
The best advice to enterprise consumers that receive data from EU citizens is to start thinking now to be prepared in the event that the CJEU determines that the current strictures are insufficient to protect personal information. As I mentioned above, if the court goes this way, the decision is likely not only to take effect immediately, but retroactively, thus posing the potential to thwart essential data transfers immediately. I hardly think of myself as a Chicken Little type, and maybe this will be a Y2K-like non-problem, but maybe not, and I wouldn’t want any of my clients to take that chance. The consequences for inaction could be overwhelming.
