EU-US Privacy Shield – Updates and the Repercussions
The Privacy Shield program is being administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, to enable enterprises in the US to join the EU-US Privacy Shield framework. This program enables these organizations with a mechanism to comply with the requisite data protection requirements when transferring personal data for transatlantic commerce.
Primarily, this program helps the US organizations to register with them, self-certify about complying with the data protection requirements publicly. This ensures all their customers about compliances being in place about the data being collected and transferred. The self-certification also becomes an enforceable commitment under the US law.
There is also a Swiss-US Privacy Shield Framework being implemented similarly by the European Commission and Swiss Administration for the transfer of personal data from Switzerland. Both these frameworks were evaluated for adequacy on personal data transfers under the EU and Swiss law respectively and approved as valid. The European Commission approved it on July 12, 2016, and the Swiss Government approved it on January 12, 2017.
The Privacy Shield Framework website lists the below updates on their website:
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.
On September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework.
On August 10, 2020, a Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders available in public domain stated that ‘The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case’. Further to this, on September 28, 2020, the U.S. government has also come out with a white paper to assist organizations to help assess their compliances concerning the EU-US data transfers, specific to this above ruling.
There are serious repercussions for companies that deal with and transfer personal data from the EU and Switzerland. They are now bound to examine their data flows across the Atlantic, the requisite laws that will be applicable, and would need to ensure compliance. In other words, these companies must now find alternate ways to ensure data protection measures as the Swiss and EU –US Privacy Shield has been invalidated. There could be investigations on the violations, followed by a fine if found guilty of the same.
This is what is necessitating organizations to evaluate their international data flows viz a viz the requirements under the GDPR and take corrective actions. The European Union has issued two sets of Standard Contractual Clauses (SCC) for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). There is also one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.
Organizations would now have to use these SCCs to analyze if they are providing an adequate level of protection to the data transfers they are undertaking. Every organization can do this evaluation and take measures to plug gaps, if any, and keep their customers and stakeholders informed about the same. This may mean passing down new safeguards and measures including implementing SCCs with all their stakeholders, as per GDPR requirements, wherein data processing is involved.
The Binding Corporate Rules (BCR) for transfers is still valid and that is an option that organizations can explore. But even the BCRs will have to be assessed and validated for adequacy and compliances, before adopting this route. They may also have to assess and amend all applicable contracts to reflect these changes. They would have to update all their communiqué concerning data privacy as well as Privacy Shield compliances or withdrawals.
Another option is to obtain explicit, specific, and informed consent of the data subject before the transfer is undertaken. This is applicable under Article 49 of the GDPR, wherein, if the transfer is necessary for the performance of a contract between data subject and controller also, it is allowed. The third clause in this also states that the transfer is allowed if it is necessary for important reasons of public interest. But, even in this case, it needs to be done with due legal considerations.
Importantly, organizations need to know that there is no grace period provided in the CJEU ruling for the same. This means that organizations cannot continue to do data transfers under Privacy Shield Program till a certain period with the hope of it getting it resolved. They will be held liable for all such data transfers under necessary compliances with immediate effect and have to assess their legal basis for the transfers.
The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program. As per FAQs listed on the Privacy Shield website, US organizations continued participation in the program shows their commitment towards data and protection. There are also provisions provided for organizations that wish to withdraw from the program. The withdrawal requests will be handled as per due process and would have to comply with all the conditions set forth to do so.
The organizations are also requested to contact the appropriate European national data protection authority or legal counsel for answers to their queries regarding clarity and adequacy of the measures they are undertaking. This step can also help them decide on appropriate alternate data transfer mechanisms. The Privacy Shield website has also listed out some key new requirements that organizations need to comply with for participating in the EU- US Privacy Shield Program.
Apart from this, all organizations would need to monitor the developments happening as the discussions continue to see how things can be resolved to arrive at an adequate solution.