SCHREMS II – IT’S DÉJÀ VU ALL OVER AGAIN

The more things change, the more they stay the same. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the so called “Schrems II” case. If you need some background on the case, you can find our original blog post on the case here.  

The two main takeaways of the Schrems II decision are:

  1. 1. The CJEU invalidated the EU-US Privacy Shield framework.
  1. 2. The CJEU reaffirmed the validity of standard contractual clauses (“SCCs”).

While the validity of SCCs were upheld, and remain a viable transfer mechanism, the CJEU holding requires businesses utilizing SCCs to analyze whether the destination country provides an adequate level of data protection.  Where the country doesn’t, the business must provide additional safeguards or suspend the transfer. Similarly, EU data protection authorities must suspend or prohibit a transfer of personal data to a third country if the data protection authority has determined that SCCs cannot be complied with in the third country and data protection cannot be ensured. 

Recall that the Privacy Shield worked together in a closely integrated manner with the GDPR. It was not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield had served as what is known as a “partial adequacy decision” falling under GDPR Article 45. In short then, what the CJEU has done in the Schrems II case is take the Privacy Shield, a proven, centralized system for regulatory oversight and enforcement on both sides of EEA-US data transfer equation, and replace it with a system of self-policing by transferors and ad hoc decision making by local EEA authorities.  

That’s all likely to work out about as well as it did in 2015 when the EU-US Safe Harbor was invalidated in the Schrems I case. Back then, data transfers continued (and even increased), through a two year period of ambiguity, confusion and almost complete non-enforcement until the Privacy Shield went into effect to fill the void left by the CJEU’s invalidation of the Safe Harbor.  

So what does all this mean for US businesses who had relied on the Privacy Shield?  Not much over at least the next week or two, and likely longer.  Contracting counter-parties in the EEA, rather than regulators, will be the most likely source of pressure to adopt the SCCs.  The U.S. Department of Commerce, for instance, issued a statement in response to the Schrems II decision informing US businesses that it intends to continue to operate for the time being as if the Privacy Shield remains in effect and, as such, the CJEU decision does not relieve participating businesses of their Privacy Shield obligations. 

If US and EU negotiators can’t work together to fix this soon, companies will need to start looking at alternative to the Privacy Shield such as SCCs, binding corporate rules or the derogations under GDPR Article 49.  Regardless of what happens as a result of Schrems II, US businesses that remember and practice our recurring mantra about applying the Pareto Principle to their data security and privacy compliance obligations will get through this fine. So if you haven’t already:

  • adopt a risk-based technical and administrative data protection program,
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another)
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to, and autonomy over, that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

Learn more and contact the Gordon & Rees Privacy, Data & Cybersecurity practice group here.

The Third Annual Review on the U.S.-EU Privacy Shield Notes the U.S. Is Doing Well, Are You?

On October 23, 2019, the European Commission published a report on its third annual review of the Privacy Shield. The results are generally positive with no immediate risk to the Privacy Shield’s existence (as a regulatory matter) for at least another year. While you can read the full report here, the following serves as a brief summary, which will be reviewed in more detail in the weeks to come.

Recall that the Privacy Shield works together in a closely integrated manner with the GDPR. It is not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield serves as what is known as a “partial adequacy decision” falling under Article 45 of the GDPR.

Per the US-EU bilateral agreement that resulted in the Privacy Shield, it is subject to annual review by the relevant authority in the EU. If the review goes badly, it would be an existential threat to the Privacy Shield. Thankfully, that did not happen. It is important to note that, this report is, of course, unrelated to the Schrems II case (which we posted on here) and its anticipated follow-on cases which are likely to judicially challenge the Privacy Shield.

Since there’s a lot of confusion, even amongst some practitioners, about what the Privacy Shield is and how it fits in with GDPR, we always feel it’s a good idea to give a reminder whenever we post on the Privacy Shield. So here goes:

Under the Privacy Shield, U.S.-based companies who self-certify can lawfully receive GDPR-governed personal data from companies based in the European Economic Area. Equally as important, Privacy Shield also signals to the marketplace that your company has what we refer to at the end of this post as the “Pareto Principle” of data security and privacy policies – procedures and programs in place that are not only required by GDPR, but are fairly universal across global regulatory regimes. As a result, Privacy Shield self-certification is definitely a plus, but it is not fatal to your company’s ability to receive personal data from the EEA. If you aren’t Privacy Shield self-certified, it just means you can’t rely on GDPR Article 45 to receive personal data.

Instead, you have to look to GDPR Article 46. That Article enumerates a handful of mechanisms that also can be used to lawfully receive EEA personal data transfers. They range from the so-called Standard Contractual Clauses (which are currently under attack in Schrems II) to a costly and complex mechanism called Binding Corporate Rules.

The key take away from today’s report is this: For the third year in a row, Privacy Shield has proven its viability. Becoming Privacy Shield self-certified is worth considering if your business requires regular receipt of GDPR-governed data. It also has some independent value beyond EEA transfers insofar as it shows your company’s security and privacy practices have at least some minimum level of maturity. As we all know and preach, it is essential in today’s global privacy evolution to ensure the development, implementation and continued monitoring and improvement of sound data security and privacy policies and practices.

Should you have any questions before our more detailed post is published, please contact Rich Green for more information.

How Many Schrems Does It Take to Stop a Data Transfer?

The so-called “Schrems II” case was heard earlier this week. It’s impossible to give this topic the treatment it deserves in a single blog post. So for now, here’s a quick FAQ:

What’s this case about?

Collecting personal data from the European Economic Area (aka, the “EEA”) and transferring to other countries is restricted by law. It can be done, but companies have to use certain statutorily prescribed mechanisms. Those, more or less, have been the rules of the game since at least 1995 continuing through today under the new GDPR which you’ve probably heard a lot about.

The prescribed mechanisms have varied over the years, but one constant has been what are known as “Standard Contractual Clauses” or “SCCs.” SCCs are a set of data protection contract terms that have been pre-approved by the EU data protection regulators. In the “old days” (by which we mean the mid- to late 1990s) they were called “model clauses.”

If each of the EEA- and US-based counterparties to a data transfer transaction agree to bind themselves to the SCCs, then an otherwise prohibited transfer becomes permissible.

In simplest terms, the Schrems II case is trying to stop companies from being able to do that. The plaintiff’s claim is that the SCCs are not valid under EU law because they fail to provide adequate levels of protection for personal data.

Why do they call it Schrems II?

Schrems is the surname of an EU qualified attorney and political and privacy activist. He and the ecosystems of activist organizations around him are serial plaintiffs. This is their second (and definitely not final) attack on EU-US data transfers.

Back under the old 1995 law, one way to conduct a permitted personal data transfer was to use the EU-US Safe Harbor Framework. If a company took a couple of (pretty minimal) steps and signed up with the US Department of Commerce to be part of the Safe Harbor, it could receive personal data from the EEA.

Spurred on by the intelligence agency surveillance scandals that occurred during the Obama administration, Schrems, then a law student, brought a series of cases trying to invalidate the EU-US Safe Harbor. After a few procedural losses and a bit of forum shopping, he finally succeeded in 2015. That case became instantly known as “Schrems I” because Schrems and his supporters were already preparing their challenge to the SCCs. And, again, that’s exactly what’s happening now under Schrems II.

Didn’t the EU-US Privacy Shield replace the Safe Harbor

Yes. A detailed analysis of the Privacy Shield (and its all-important relationship to the GDPR) is beyond the scope of this post, so here’s the summary version:

The Privacy Shield is considered a “partial adequacy decision” under GDPR Article 45. As such, it allows companies to collect/transfer EEA personal data to the US as long as the US-based recipient company is Privacy Shield self-certified.

But this case isn’t about the Privacy Shield (at least not nominally—more on that in a minute) or even GDPR Article 45. As stated in the prior two FAQs, this case is about one of the other prescribed mechanisms, the long-standing SCCs which have been in existence for nearly 25 years and today fall under the aegis of GDPR Article 46.

That said, while we’re still waiting on our own confirmation, it’s being reported by reliable news sources that, in open court this past Tuesday, Schrems’ lawyers asked the court to also invalidate the EU-US Privacy Shield—despite not having actually pled or argued for it previously (in fact there is an entirely separate case for that) and despite the fact that it derives from a statutory mechanism (GDPR 45) that is separate and distinct from the SCCs (which, again, are GDPR 46).

What happens if the European Court of Justice invalidates the SCCs

Déjà vu all over again. Things will very likely look pretty much the same as they did in 2015 when the Schrems I court invalidated the Safe Harbor. Which means there will be a long interregnum during which there will be less regulation, more unfettered transfers and lots of confusion.

You see, like the too-clever-by-half Wile E. Coyote character of Warner Brothers cartoon fame, in the first case that bears his name, Schrems thought he was going to dynamite, and thereby halt, EU-US data transfers by invalidating the Safe Harbor. But in the end, the only thing that went up in smoke was his goal of protecting data transfers.

Invalidating the Safe Harbor didn’t stop transfers out of Europe to the US at all. Instead, the result in Schrems I combined with the already looming specter of Schrems II, led companies to conclude that European law was, to put it colloquially, a hot, unenforceable mess.

EU regulators, already under-staffed, under-funded and overwhelmed, were more or less paralyzed after Schrems I. So responsible, law abiding companies had to more or less make it up as they went along. Most did their best to self-regulate and relied on SCCs. Others, knowing Schrems II was imminent and SCCs thereby in doubt, used ad hoc data export/import contracts. Meanwhile, the less law abiding were all too happy to flout the spirit of the law entirely and were doing pretty much whatever they wanted with impunity.

That same environment of confusion and virtual lawlessness, rather than Schrems’ goal of stopping or better protecting US transfers, will play out again if the Schrems II court invalidates SCCs. It’ll happen a thousand-fold if the Schrems II court decides, sua sponte, to invalidate the Privacy Shield too

What can we do now to prepare?

For starters, keep reading this blog! In addition to that, remember our recurring mantra about applying the Pareto Principle to data security and privacy compliance.

Sure it’s true that there are variations between laws and some laws have real quirks (CCPA anyone?!). But it’s even more true that just about every data sec or privacy law (from HIPAA to the NY Cyber-reg to GDPR) has the following (or a very similar) set of building blocks at its foundation:

  • adopt a risk-based technical and administrative data protection program,
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to and autonomy over that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

So put that foundation in place, and check on it periodically, and you’ll be well on your way to achieving 80% compliance no matter what the Schrems II court decides.

EU-US Privacy Shield – How to Opt In and Self Certify

The Privacy Shield provides a means to transfer EU personal data in accordance with certain EU data privacy principles.

As of August 1, 2016, US companies may self-certify as a means of complying with EU data protection laws when transferring EU personal data from the EU to the US. (For back ground information on the EU-US Privacy Shield, see March 2016 Article.)

Companies should consider self-certifying to the Privacy Shield if they desire to minimize their exposure to liability on many fronts, e.g., regulatory compliance with the EU Data Protection Directive, federal and state laws, and minimizing risks to data breach/regulatory compliance litigation. Additionally, by operating in accordance with these data privacy principles, companies will be building goodwill with their consumers and business partners.

Pre-Certification Assessment/Audit

Prior to self-certifying, companies need to engage in a self-assessment/audit to determine whether their current business practices meet the minimum standards set forth in the Privacy Shield framework. There will likely be some work involved for must companies to self certify to the Privacy Shield, but it is certainly manageable when proper resources are allocated to address the self certification requirements.

Although not a complete and extensive list of all of the pre-certification logistical requirements, the following are required to self-certify to the Privacy Shield.

First, companies will need to assess their external and internal privacy policies, and their EU personal data collection, processing, storage and transfer procedures. Each policy and procedure will need to be compliant with the 7 Privacy Shield Principles, and as applicable, the 16 Supplemental Privacy Shield Principles. A summary of these principles can be found at the US Department of Commerce.

Second, once this assessment/audit is complete, companies will likely need to update all of their privacy policies and procedures and contracts with their business partners. If companies self certify to the Privacy Shield by September 30, 2016, they will be provided with a 9-month grace period to update their contracts with their business partners.

Third, the Privacy Shield requires companies to implement specific complaint and dispute policies and procedures, which include replying promptly to all complaints, identifying a point of contact person/officer for complaints and provide an independent recourse resolution mechanism to EU consumers.

Fourth, companies are required to notify the public that they are self certifying to the Privacy Shield. This reference includes publishing the Privacy Shield logo and required self certifying language to their websites, and appointing a person who is responsible for self-compliance.

Self-Certifying to the Privacy Shield

Once companies complete their pre-certification assessment/audit, then they will be ready to certify to the Privacy Shield.

Self-certification to the Privacy Shield requires companies to submit a written application/certification to the US Department of Commerce. There is also a required fee to self-certify to the Privacy Shield. See Federal Register July 22, 2016 Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework Notice.

Post Certification

After self-certifying to the Privacy Shield, companies must walk the walk. This requires a coordinated effort to comply with their Privacy Policy and maintain good standing on the Privacy Shield list of self-certifying companies.

Additionally, companies must self-certify each year with the US Department of Commerce, which means self-certifying to the Privacy Shield is a constant, ongoing process.

For guidance through the legal and regulatory compliance land mines of self-certifying, do not hesitate to contact Mark Ishman, a member of Gordon Rees’ Privacy & Data Security Practice Group.

Just When You Thought EU “Model Clauses” Are Safe to Transfer EU Data, Think Again

After the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework for EU-US data transfer, companies began to rely on the EU’s “Model Clauses” as a valid means of transferring data from the European Union. In fact, almost all multi-national corporations adopted “Model Clauses” as the interim best practice to transfer EU data from the European Union.

However, the EU “Model Clauses” do not directly address US national security surveillance laws, which remain unchanged and continue to apply to large multi-national corporations. This has given rise to this latest CJEU proceeding initiated by the Irish Data Protection Commissioner (DPC). The DPC recently announced that it will ask the CJEU to determine whether Facebook can transfer EU data from the European Union via the use of EU’s model clauses. A copy of the press release can be found here.

In addition to the ongoing EU-US Privacy Shield negotiations that will likely continue for at least the next year, we must now watch for the CJEU’s decision on whether EU “Model Clauses” adequately protect EU data from big government surveillance practices. Given the current state of EU data transfers, best practices must continue to be examined and developed by the data privacy industry.

EU-US Privacy Shield: US Companies Should Adopt and Apply Its Data Privacy Principles

The EU and US have announced another agreement requiring US companies to self certify that they are compliant with certain data privacy principles in order to conduct transatlantic data transfers. This agreement is called the EU-US Privacy Shield (“Privacy Shield”) and is similar to its predecessor Safe Harbor program, but requires US companies to conform to more stringent data privacy standard. Although EU-US have announced this deal, the Privacy Shield has not yet been finalized or enacted, as the authorities are still negotiating a final version of this agreement.

During this interim, US Companies should consider adopting the Privacy Shield’s published Privacy Principles into their business practices in order to commit to doing business long-term in Europe. If they do so, then they would not only put themselves on a fast track to self-certification under the Privacy Shield, but they would also be minimizing their exposure to data privacy/breach liability in the US.

Under the first published draft of the Privacy Shield, US companies must adopt and implement certain Privacy Principles in order to collect, store and transfer EU personal data. These Privacy Shield’s Privacy Principles are generally good data privacy and security policies and procedures, that when implemented, would help a company minimize its exposure to data breach liability here in the United States (e.g., Section 5 of the Federal Trade Commissions Act, the Fair Credit and Reporting Act, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), state data breach notification laws, etc.).

In fact, if US law has not already required some of the Privacy Shield’s Privacy Principles to be adopted by US companies, most of these principles have been found to be good practices in administrative and judicial decisions that have considered these US privacy and data breach laws in their rulings.

A closer look at these Privacy Shield’s Privacy Principles clearly show how they can minimize US companies’ liability exposure while building goodwill with their consumers.

The Privacy Shield requires US companies that collect, store and transfer EU personal data to adopt and implement into their business practices and policies, the following:

(1)   Notice. US Companies must provide Notice to their data subjects of how they process their data that they collect, store and transfer under 13 subjects. Such Notice requirements include:

  • the type of data they are collecting,
  • the purpose of processing their data,
  • the right of access their data,
  • the right to choose whether the US companies can continue to collect, store and transfer their data (i.e., opt-out),
  • the conditions for onward transfers of their data, and
  • who is liable and what remedies are available to them for security breaches involving their data.

US Companies should Notice these privacy principles as part of their Privacy Policy on their websites for their data subjects to review. Included in their website Privacy Policy, US Companies must include links to the US Department of Commerce’s website for additional information on self-certification, the rights of data subjects and available recourse mechanisms. US Companies must also include the self-certification Privacy Shield and an appropriate alternative dispute settlement provider (see Recourse, Enforcement and Liability below).

(2)   Choice. US Companies must allow their data subjects a Choice to opt-out of any collection, storage and transfer of their data, especially if a US company changes its data privacy principles. If a US company is a direct marketer, then there are special opt-out rules that the US direct marketer must implement in order to allow their subjects to opt-out at any time from the use of their personal data.

(3)   Security. US Companies collecting, storing and transferring personal data must take “reasonable and appropriate” security measures to minimize the data security risks involved in the collection, storage and transfer of such personal data. “Reasonable and appropriate” security measures must be implemented US companies because their security measures will be the key subject investigated and litigated with any data security breach. If US Companies are subcontracting any of their security obligations under the Privacy Shield, then such subcontracted security services must be materialized in an executed agreement where the subcontractor guarantees the same level of protection as provided by the Privacy Shield (i.e., the Privacy Principles) and guaranty the implementation of such privacy measures.

(4)   Data Integrity and Purpose Limitation. US Companies must limit their collection, storage and transfer of personal data via a means that is compatible to a purpose that is Noticed in their Privacy Policy practice, which includes whereby using data while maintaining its integrity.

(5)   Access. US companies must provide Access rights to EU data subjects to their data as follows:

  • provide Access to their data without justification (i.e., for any reason),
  • respond to Access requests without an excessive fee,
  • respond to Access requests within a “reasonable” time frame,
  • provide confirmation that they are processing their data, and
  • provide Access to correct, amend or delete personal information where it is inaccurate or has been processed in violation of these Privacy Principles.

There are a few limited exceptions to these Access rights stated above that only apply in a few exceptional circumstances. Otherwise, US companies have the burden that these Access rights are being provided to EU data subjects.

(6)   Accountability for Onward Transfer. When transferring EU personal data from controllers or processors, US companies must be accountable in such onward transfer by:

  • limiting such transfer for a specified purpose;
  • under the terms of an executed agreement;
  • only if the executed agreement provides the same level of protection as the one guaranteed by the Privacy Principles; and
  • controllers being accountable for all compliance problems unless some act(s) of gross negligence by the a processor.

(7)   Recourse, Enforcement and Liability. If bad things happen to EU personal data while being collected, stored or transferred, then US companies must have in place an effective redress mechanisms to deal with such complaints, which includes:

  • US Companies must publish their Data Privacy/Security Contact Person in their Privacy Policy, who is either within or outside of the company but handles all data privacy/security complaints. This is required in order to allow individuals to file complaints directly with Privacy Shield companies.
  • Within 45 days upon receipt, US Companies must respond to all data privacy/security complaints.
  • Such responses to complaints must “provide an assessment of the merits of the complaint and, if so, information as to how the organization will rectify the problem.”
  • US Companies must “retain their records on the implementation of their privacy polices and make them available upon request in the context” of a data privacy/security investigation or complaint.

EU data subjects can also bring complaints to independent EU data protection authority (DPAs) to investigate and attempt to resolve individual complaints and provide such appropriate recourse to EU data subjects free of charge.

Third, Privacy Shield companies must also offer alternative dispute resolution via an independent dispute resolution mediator free of charge. As a last resort, EU data subjects may invoke binding arbitration by a “Privacy Shield Panel” arbitrator who is appointed by the US Department of Commerce and the EU Commission.

The US Department of Commerce, Federal Trade Commission and other data protection authorities will also have the authority to investigate and prosecute US companies for non-compliance with the EU-US Privacy Shield.

(8)   Self-Certify. US companies must annually self certify that they are compliant with the Privacy Shield’s principles and practices. “This can be done through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the company’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing and random checks.” Additionally, US companies must file their self-certification of adhering to the Privacy Principles with the Department of Commerce, who will then publish self-certifying US companies via a “Privacy Shield List.”

Like all legal matters, there are exceptions to some of these Privacy Shield rules identified above. Additionally, there are other unidentified provisions of the Privacy Shield that may be applicable to US companies under worse case data security breach scenarios.

As discussed in our last blog article, the EU Commission’s subcommittees are now reviewing the Privacy Shield with the purpose of submitting comments to the EU Commission. Once these comments are received, then the EU Commissions will either approve the Privacy Shield or require additional edits to it. Simultaneously through this EU review period of the Privacy Shield, there will likely be new laws required to be enacted in the US in order to authorize and facilitate such required privacy authority and procedures as set forth Privacy Shield. Expect another update on edits to the current draft of the Privacy Shield. It may be another 6 to 12 months before the Privacy Shield has been enacted and fully effective.

In the interim, adopting the above Privacy Shield rules into your business practices would put you on a fast track to comply with the EU-US Privacy Shield once it has been enacted, and it would also build goodwill with your consumers and minimize your exposure to data breach liability under the Privacy Shield and US federal and state laws.

EU-US Privacy Shield: What Does this Mean for the Private Sector?

Its déjà vu all over again, the EU and US have announced that they have reached an agreement in principle on new rules governing transatlantic data transfers. They are now finalizing their agreement, which will be called the EU-US Privacy Shield. The EC announced that it will prepare a draft “adequacy decision” on the Privacy Shield in the upcoming weeks (ETA: end of February).

At this time, deal terms of this agreement related to the private sector are slowly being disclosed, such as:

  • “Strong obligations” on companies that handle Europeans’ personal data, coupled with “robust enforcement”.
  • US companies will be required to declare that based on their interpretation of the Privacy Shield and related laws, they are complaint with it. Companies that broke their terms of the agreement would face escalating sanctions, up to and including “removal from the list” of those firms legally allowed to collect EU citizens’ data and transfer it to the U.S.
  • The Department of Commerce and the FTC will have significant roles in enforcing the terms of the agreement. It appears that the US Department of Commerce will be monitoring what companies publish as their commitments to protect and secure personal data, and the FTC will be in charge of enforcing data privacy enforcement under US law.
  • There will be regulations for companies handling human resource data from Europe, requiring at a minimum that they comply with decisions by EU’s data protection authorities.
  • There will be new complaint procedures for EU citizens to utilize to complain about misuse of their personal data in the US, from making initial complaints to the particular US company, all the way to complaint procedures involving the US Department of Commerce and FTC.

The Privacy Shield has already received criticism. Some are arguing that it is really not an agreement/treaty, but a letter of understanding or pledge. Others argue that it will be stricken down by European Court of Justice.

As this all works itself out over the next several months, the Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has announced that it has agreed to allow more time for the EU and US to finalize the Privacy Shield and will not be taking enforcement action against companies that are using alternative transfer mechanisms (contracts) in the wake of last year’s Safe Harbor strike down (Schrems).

We will need to actually see the Privacy Shield language in order to provide compliance advice. However, in the interim, we will continue to monitor the finalization of this agreement (ETA: end of April) and provide updates to you.