Max Schrems is an Austrian activist and author who became known for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA’s PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.
On July 16, the Court of Justice for the European Union (CJEU) made a ruling in the “Schrems II” (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems) case, which has significant ramifications for software businesses operating in the EU and in the US. The case dealt with the problem of the EU mandating much more specific and overarching software privacy protections than those available under US law. However, many businesses, and particularly Facebook, operating in both these domains (EU and US) so the personal data that they process ‘crosses over the pond’ between the EU and the US.
Consider an American tourist who travels to Spain and logs onto Facebook on their phone over an EU Wi-Fi connection through an EU based proxy server. This person is now entitled to EU-level data protection even though they are an American citizen and signed up for their Facebook account under US law, privacy, and end-user agreements. Article 3 of the General Data Protection Regulation (GDPR) is all about Territorial Scope and provides for a very broad definition. This aspect of the GDPR puts a great deal of non-EU businesses into the harsh regulatory environment of this data protection regulation.
Before the Schrems II ruling, the legal mechanism for this data transfer was the Privacy Shield Framework, a negotiated legal standard that oversaw how this situation would be handled. Vendors, wishing to transfer data “over the pond”, could employ EU-provided Standard Contact Clauses (SCCs) which protected them from liability when the data was transferred.
Schrems II has changed all this and has invalidated the Privacy Shield Framework. Now, businesses that operate in any capacity in the EU must conform to EU privacy standards. SCCs remain valid but are risky and practically difficult in many cases. SCCs have typically been used for countries and territories where there are no adequacy findings. They have often been misused and misunderstood. The issue is that the terms include obligations that reflect the GDPR requirements to protect data transfers that must be actioned, enforced, and followed on a case by case basis.
The Irish DPA (on 16thJuly) said that for EU/EEA to US transfers using SCCs, that the the US surveillance laws may make it impossible for the SCC terms alone to protect data transfers, “it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable”.
Organisations need to carry out assessments when using SCCs that consider the relevant aspects of the legal system of the relevant non-EEA country or territory to check that they offer a level of protection essentially equivalent to that guaranteed by the GDPR. This should include data protection and national security legislation. This means that they may need to implement additional measures in particular cases. If the organisation cannot guarantee the required level of protection, they must suspend the transfer or terminate the contract (or the data protection authority must enforce this).
The U.K. government was “disappointed” by the invalidation of Privacy Shield, and it is easy to see why. U.K. policymakers and businesses with an interest in data flows should pay close attention to the approach taken by the EU data protection authorities, European Data Protection Board and commission in the coming weeks and months to see what transpires.
There is a great deal to think about and do. The focus should be to:
Written & Published By: Claire Robinson DPO, CIPP/E, CIPM, ISO 27001 certified Consultant.
Monday 28th September 2020