Strategy, privacy, and risk

So Long, Privacy Shield

In what’s rapidly becoming the splashiest news to hit the privacy space in years, the Court of Justice of the EU (CJEU), the highest court in the European Union, invalidated the U.S. Privacy Shield, a legal instrument that made it possible for organizations operating in the United States to transfer EU personal data to the U.S.. To add to the impact, the CJEU provided no grace period for this change, meaning that the 5,000+ organizations currently enrolled in the Privacy Shield program are effectively out of compliance as of the decision’s publication on July 16.

Prior to this decision, there were four main avenues a U.S.-based organization could use in order to transfer data out of the EU:

  • Privacy Shield: The lamented and now invalidated U.S. Department of Commerce program requiring participating organizations to maintain a privacy policy enshrining seven “principles,” (notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability). The EU’s acceptance of the Privacy Shield assumed reliable enforcement, for which the Federal Trade Commission is responsible, as well as an ombudsman to which EU citizens could appeal for redress if they believed their personal data was being misused, and which would be presumed to have the authority to overrule U.S. federal law enforcement and surveillance activities.
  • Standard Contractual Clauses (SCCs): Model contractual language published and maintained by the European Commission that establish a legal mechanism for transfer when included in the contract between a European organization transferring data to a U.S. counterpart. These clauses are chiefly used as part of an agreement between two companies, or between a U.S. company and its European agency. Notably, Facebook relies on SCCs to establish transfer adequacy.
  • Binding Corporate Rules: Standard privacy and security controls the organization implements to govern its collection and use of EU personal data. These must be approved by the EU member state Data Protection Authority (DPA) in which the organization is mainly operating, and typically require annual assessment and validation.
  • Standard Derogations: Exceptions specifically called out in the GDPR for transfer, which include explicit consent from the data subject, and any transfer required for the performance of a contract.

The case, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, also known as “Schrems II,” centered on the question of whether the SCCs could legitimately provide protection for personal data in the U.S. equivalent to what’s required in the EU in light of US data surveillance practices. In something of a surprise twist, the CJEU validated SCCs as an transfer mechanism (with some important provisions), but then pivoted and ruled Privacy Shield invalid on the grounds that it was inadequate due to the apparent lack of the ombudsman’s ability to exert any control over U.S. intelligence and law enforcement collection of European personal data.

This outcome wasn’t surprising for anyone who has been following U.S. and EU privacy matters for any amount of time. Many of the complaints levied against Privacy Shield were the same complaints from back in 2015 when the CJEU invalidated Privacy Shield’s predecessor, the U.S. Safe Harbor program. Europeans tend to view privacy as a human right, so they have never been comfortable with the American perspective, which tends to view privacy as more a question of monetizable business assets and a cost of doing business. The perceived threat of the FISA courts (which along with notion that the NSA is tapping undersea cables for snooping is specifically called out in the decision) doesn’t help matters. Honestly, Privacy Shield’s fate was probably sealed from the beginning, so for years Coalfire has been advising our clients to use Privacy Shield only as a stopgap measure to achieve compliance while pursing more robust transfer mechanisms such as Binding Corporate Rules (BCRs).

So, what now? In its decision, the court emphasized the requirement that EU member state DPAs must take action to invalidate those data processing agreements based on the use of SCCs in which the protection they require can’t be reasonably assured. This creates a greater obligation for organizations collecting EU personal data to make certain that they not only have adequate privacy and security measures in place, but they are much more vigilant and demanding of the third-party data processors with whom they enter into data transfer agreements. The ‘sign-it-and-forget’ days of SCCs as standard contract template language are all but over. All organizations will need to be able implement and demonstrate solid privacy and security controls, including measures like end-to-end encryption. Those organizations relying on BCRs should assume a similar level of heightened scrutiny from their respective DPAs as well. Finally, those organization relying exclusively on Privacy Shield must take immediate action to identify and implement an alternate means of establishing a mechanism for transfer, such as pursuing BCRs.

Privacy has always been a dynamic and rapidly shifting space, and that’s never been truer than today. The rise of next generation data processing technologies such as artificial intelligence and machine learning, the wholesale migration to international cloud infrastructure, and the increase of customer awareness and trust expectations have already complicated the environment for organizations dealing heavily in personal data. The Schrems II decision, while every bit the system shock it seems, only underscores the need for strong, deeply integrated privacy controls, an understanding of the constantly evolving risks, and a crisp, agile approach to ensuring privacy and data protection at all levels of the organization.

How can we help?