Privacy Shield is dead! Long live Privacy Shield.
I said that, just now, over a cup of tea
It’s been an ‘exciting day’ in the world of Data Protection as this morning the Court of Justice of the European Union (CJEU) issued it’s (and long awaited) final ruling on data transfers to the United States of America (USA) under either the EU-US Privacy Shield programme or Standard Model Contract Clauses (SMCCs) as defined under Article 46 of the General Data Protection Regulation (GDPR).
For the non-Data Protection ‘specialists’ reading this, bear with me. What you need to worry about is below. But why you need to worry about it I’ll explore first. You may well ask yourself why is this a problem. Well, just bear with caller as I explore why.
Background:
The GDPR (and indeed its predecessor the European Data Protection Directive) accepts that Personal Data may well leave a member state of the EU for one reason or another. Chapter 5 of the GDPR then outlines what ‘apprioriate safeguards’ organisations need to put in place to ensure the transfer is ‘lawful’ and protected (both physically and legally).
The ways in which Personal Data can leave the EU is either via;
- An adequacy decision from the European Commission
- A legally binding instrument between public authoroties
- Signed Standard Model Contract Clauses as issued by the European Commission
- An approved Binding Corporate Rules Framework
- An exemption
For many years under the ‘old regime’ data transfers to entities in the USA were ‘allowed’ via a scheme called ‘Safe Habour’. This was a US Government led scheme, that was deemed ‘adequate’ by the EU Commission and allowed organisations that were ‘certified’ under the scheme to be seen as a ‘safe location’ for the purposes of international data transfers.
In the first legal challange to this scheme in 2015, the CJEU found that the old scheme was not compliant with the Directive in force at the time and was therefore deemed ‘inadequate’. The US Government then worked with the EU to develop ‘Privacy Shield‘ – a ‘reborn’ and new version of Safe Harbour that would try to address some of the concerns raised in the Schrems I case.
Privacy shield was born and businesses in the USA could apply and be ‘certified’ against that they had ‘appropriate measures’ in place to protect EU citizen Personal Data.
Shrems II (as it is commonly known) is a legal challenge to this new scheme, similar to the previous, including the use of the current SMCC template with organisations/entities in the USA. The argument being that how can entities in the USA offer adequate protections where the US Government has such wide ranging and intrusive survilleance powers for any data on its ‘soil’.
As a ‘non-lawyer’ I’ve read the decision, and various commentaries on the matter, and can safely say that its interesting reading, albeit a little hard going.
In its decision (in a heavily summarised and simplified status for you dear reader, for the full summary click here) the decision was basically as follows;
- Privacy Shield does not offer adequate protections for EU citizens that match those of that offered under GDPR, and is therefore ‘not adequate’. (I think we all predicted that one).
- Standard Model Contract Clauses can still be relied on as an appopriate safeguard however the Data Exporter (org within the EU) must demonstrate that they have considered the laws of the country of the Data Importer and any relevant risks to ensure appropriate controls are in place. (An interesting stance, but not surprising. Just emphasising what is already in the GDPR).
- Data Protection Authorities have to be clearer on their stances on what are ‘appropriate safeguards’, especially with regards to SMCCs but also to countries where there is no ‘adequacy decision’ from the EU Commission. (Also seems a little obvious given the complex nature of International Transfers and the ‘ambiquity’ of the Irish Commissioner’s actions with regards to Facebook (which is what all of this was about)).
I also suspect (and this is my conjecture here) that this will add pressure to the EU Commission to get a revised set of SMCCs out for GDPR (finally) and to expand their scope to not only be Controller to Processor and Processor to Processor but also Processor to Sub-Processor as well. May 2018 was 2 years ago, why were these not further up of the list of things to do??
What this means:
Privacy Shield as a method of transfers is unusable.
The programme, by its nature and setup, was found to be lacking and therefore the EU Commission decision on its ‘adequacy’ was revoked. Thereby removing its ‘legality’ and therefore cannot be used. If you are using it, therefore, you have some work to do.
Just switching to SCCs won’t work.
Aha, nice try. But just getting an international third party to sign a contract won’t cut the mustard. Many organisations will try and switch to SMCCs instead (or may already well have). Simply doing that alone will not be enough. The judgement outlines a clear duty for you as the ‘Data Exporter’ to ensure that you can (and have) put appropriate and demonstratable safeguards in place with your Exporter (based on where they are in the world etc).
If you can’t evidence that, and cannot show that your importer has things in place to protect that data (other than a signed contract) then you are responsible for ensuring that changes or you suspend the transfer of that data.
As Martin Hoskins quite rightly points out in his blog earlier today, that poses a few issues for organisations as;
- Few orgs have the staff or the knowledge on SCCs and their use
- Often interational transfers are ‘muddy’ as to what role the other organisaton plays (controller/processor/joint controller?)
- It can be challenging to determine whether there is a meaningful transfer of personal data in the first place (i.e. one that would require SCCs)
- Different views exist on whether enough personal data is in scope to trigger the requirement to use SCCs in particular cases.
- It can be unclear as to who is accountable should a risk-based decision be taken not to use the relevant set of SCCs.
- Once the contracts have been signed and stored in a safe place, accessible to just a few key staff, most people don’t actually realise that they contain SCCs.
I’ve paraphrased a few of them there as it’s quote, follow the link above to see the full comment from Martin.
Even if an organisation wanted to navigate some of that, without internal knowledge and resources, that ‘legal advice’ bill is about to get a lot higher. Cost of doing international business maybe? But what about ‘budget restricted’ organisations? I was only talking this morning with someone about how may Public Sector DPOs have very little experience or interaction with SMCCs etc. Therefore what do they do with their already stripped budgets? We can be ‘Data Protection purists’ about it, and I’ve done that before, but that doesn’t change the practicalities on the ground that this is going to increase cost (rightly or wrongly).
If you’ve not set a strategy on international transfers, therefore, now might be the time to explore it and decide if you even want to use international based services or not. And what that means in terms of availablity of your own services?
You (the data exporter/data controller) have to investigate and verify the importing countries protections before the transfer can take place.
You can’t just say ‘here, sign this’ and off you go. If you know that your importer is based in a country like China (as an extreme example), and you know there are some real legal and technical threats to the data being stored there, then simply signing SMCCs is not enough.
What analysis have you done on this? Where is your Data Protection Impact Assessment? What other controls are in place to protect the data that is being transferred? Is it even appropriate that it should be transferred to that particular country in the first place?
If you’re surprised that all of things are questions around transfers, then I have a suprise for you, they have been questions about transfers for alot longer than GDPR. If you weren’t asking these questions from the beginning then what on earth do you think Data Protection is about? Or even, what did you think Data Protection by Design was all about?
Personally, I am not suprised that the court brought these issues up and have emphasised the need for Data Exporters to take more responsiblity for managing and checking their transfers and not just doing it because ‘internationalism is a good idea’. (They didn’t say that, but you get what I mean).
Data Protection Authorities have to focus their attention on international transfers in terms of ‘regulating’ and providing guidance and support.
Linked to all of this then comes both an explicit mention, and a clear ‘derr’ that Data Protection Authorities need to take a look at what they are doing around international transfers. What advice it is that they are providing, including what enforcement they are doing where they find areas of transfers to countries without appropriate safeguards.
It will be very interesting to see what the ICO does in this area given Brexit and given they are currently ‘under fire’ for not enforcing on GDPR ‘adequately’.
It will also be interesting to see what this means for the UK when it becomes a ‘third country’ under GDPR. Given we have very similar surveillance powers to the USA and the EU has been ‘disquiet’ over this in the past, has the likelyhood of the UK not being adequacy status just gone up? And if so, does that also mean that the ‘hurdles’ to get data to the UK from the EU have just become a little more complex?
Potentially…
What you need to do about it:
For the non-Data Protecion specialists that have gotten this far. First off, well done and thanks for sticking with me. The best thing you can do on the back of this is the following;
- Find out what transfers of Personal Data you have that are going to the USA (or anywhere else for that matter). This should already be in your information maps/audits but, if not, this is another reason to get that work done!
- Determine what contracts are in place that govern those transfers (if any)
- Determine what controls are in place around those transfers and services (if any)
Then determine how big your problem may be. If you have none, and you’re complete UK based and hosted then great. Crack on with the mountain of other things to do.
If, however, you do have transfers outside of the UK/EU then determine what they are and deal with the riskier ones first.
Setting aside wether this was a problem before or after today, the point remains that this is an important area of Data Protection and it does require your attention.
Sometimes it takes a case like this to bump it up the ‘to do list’ and that’s fine, determine the scope of any issues and then look at what you might need to do to ensure you are adequately protecting data within your care.
N.B. While I was writing this it appears the Information Commissioner’s Office (ICO) issued a statement on the case. If you want to see an example of a kettle reminding you it was designed to boil water, I recommend a read. It will take about 15 seconds of your life.
Lighthouse IG is a Data Specialist firm offering knowledge and skills to organisations in how to manage and make the most of their data. From training to project and knowledge support, through our approach and experience we can support you on a range of needs. Follow us on social media (@IGLighthouse) to hear more or subscibe to the blog to hear from us directly!
[…] was asked recently about the use of Slack, given the Schrems 2 case and the fact that use of ‘messaging tools’ and Personal Data always rears some […]