Data Transfers to the USA – Fall of Privacy Shield – Standard Contractual Clauses Request: Informational Purposes Only
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (the “Irish DPA”) in 2015, challenging Facebook Ireland’s reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc.
In the U.S. Facebook turned to SCCs after the CJEU invalidated the U.S.- EU Safe Harbor Framework in 2015, following an earlier challenge by the same privacy advocate.
Specifically, Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. A key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the EU under the Charter of Fundamental Rights and that there is no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling. The preliminary questions primarily addressed the validity of the SCCs, but also concerned the EU-U.S. Privacy Shield framework.
With respect to the SCCs, the CJEU judgment mainly followed the CJEU’s Advocate General’s (“AG”) non-binding opinion on the case (published on December 19, 2019). The CJEU stated that the SCCs provide sufficient protection for EU personal data, but underscored the fact that EU organisations relying on them have an obligation to take a proactive role in evaluating, prior to any transfer, whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The CJEU also noted that organisations may implement additional safeguards, over and above those contained in the SCCs, to ensure an “adequate level of protection” for personal data transferred, although it is unclear at this stage what form those additional safeguards would take. The CJEU further noted that non-EU organisations importing data from the EU based on the SCCs must inform data exporters in the EU of any inability to comply with the SCCs. When non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an “adequate level of protection,”
The EU data exporter is required to suspend the transfer of data and/or to terminate the contract. In addition, the judgment highlights the role of supervisory authorities in assessing and, where necessary, suspending and prohibiting transfers of personal data to an importing jurisdiction “where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means.”
Contrary to the approach suggested by the AG in his opinion, the CJEU decided to examine and rule on the validity of the EU-
U.S. Privacy Shield framework. In ruling that the Privacy Shield is invalid, the CJEU took the view that “the limitations on the protection of personal data arising from U.S. domestic law on the access and use of the transferred data by U.S. public authorities limited in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” Further, the CJEU found that the EU-U.S. Privacy Shield framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law. On those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.
Logical Next Steps for Organisation’s reliant on Privacy Shield
While SCCs remain valid, organisations that currently rely on them will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organisations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
Organisations that currently rely on the EU- U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. Organisations may be able to rely on derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), and SCCs or Binding Corporate Rules should also be considered as alternative mechanisms.
Inherent Problems remain – DPO View
I think there is a lot more in the CJEU decision than most are seeing - their comments on Executive Order 12333- United States intelligence activities and The Foreign Intelligence Surveillance Act (FISA) Section 702 are repugnant with European law and cannot be overcome. These instruments essentially pave the way to outlaw any US company from processing personal data of EU persons.
(In 2008, Congress passed a set of updates to the Foreign Intelligence Surveillance Act (FISA), including Section 702 which authorised warrantless surveillance of non-U.S. persons reasonably believed to be outside the country.)
I believe this is the most important line in the Judgment: "Furthermore, according to the findings of the referring court, the
NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable."
As long as these issues remain - there is literally no mechanism (now or in the future) which can meet the requirements of EU law - so either EU law needs to change, or US law needs to change. Coupled this with the US Cloud Act and it would not even be possible for US Companies to process EU data in the EU because it is still at risk - only way forward is for US companies to use escrow services for data processing & that is hugely complex and costly.
Furthermore under the same principles the judgment considered SCC with regards to suspension of processing - it is likely that lead Supervisory Authorities would have to make the same considerations for Binding Corporate Rules because exactly the same risks are presented when using BCR to transfer to countries like US & China.
What does this mean in Practice?
European Supervisory authorities will begin start suspending transfers made under SCC for the Facebooks and Twitters of this world. The Berlin Data Protection Authority has been the first to issue such an order to Data Controllers based in Berlin.
What are the alternatives for Business?
Binding corporate rules (BCR)are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs are a private arrangement used in large multinationals and much the same as SCCs offer no more protection against the US Government asking for data than the SCCs.
Helen Dixon (Irish DPC) confirmed in the IAPP webinar that BCRs share the same issues as SCCs regarding transfers to the US. Outside of this there are limited exceptions/derogations provided for in the GDPR.
Realistically there are no viable options for business at this time and industry will be looking to law makers to bridge the gap as seen following the fall of Safe Harbour.
The reality is, that there is currently no mechanism for international transfer that will curtail foreign government surveillance, for the purposes of this document, the US governments surveillance. This is a case of conflict of laws and no contractual agreement not even the SCC is a solution. We will need to wait and see what the regulators approach to this.
This should be an immediate cause for concern for companies that utilise US companies directly or indirectly through onwards processing via sub-processor as a transfer mechanism. It will be the policy of IDPAA to guide companies to put SCCs in place for international transfers outside the EEA, with sufficient review and enquiry into the processing that is considered and the rule of law in those countries where the processing is to take place . IDPAA will continue to monitor the DP landscape.
At this time, the SCCs remain a lawful transfer mechanism with the onus on the transferring entity to have concluded an assessment of the necessity, proportionality and security of any transfer.
Any proposed data transfers to processors or sub processors in the United States should be assessed as to necessity and proportionality. Please also note this will include the United Kingdom, given the current situation with Brexit and with any other country outside the EEA where SCC’s are the lawful transfer mechanism.
Boards of Management, Directors and Senior Managers should be advised to contact their DPO who will support with any assessment or review prior to any transfer in compliance with current available guidance from EU regulators.
IDPAA recommend these initial steps to support in this ruling;
• Review personal data inventories and processor reviews to identify geographical region of data transfers
• Engage with processors who are US based where you may have relied on Privacy Shield and provide SCC’s
• Contact current processors who are EU based but who use sub-processors who are based outside EEA and confirm that they have adequacy measures in place for transfers as required by your Data Processing Agreements.
• Ensure data flow maps for the processing are updated
• Update the corporate risk register to include the ruling and describe any potential business impacts
• Engage with any relevant stakeholders such as managers within the body corporate and any joint controllers that are party to a contract that includes data transfers outside the EEA
Ransomware has become a significant risk for companies of all shapes and sizes. It takes many forms, from attackers encrypting your data and only letting you decrypt it for a fee, stealing your data and threatening to widely publish it unless you pay, through to threatening to disable your IT systems unless you meet their demands. The attackers are well-resourced and sophisticated organized criminal groups or rogue nation states. You need to not just think you are protected from this threat – but to know you are protected – use this guidance as a start.
Issue Organized criminal groups and rogue nation states are increasingly using cyberattacks to extort money from people and corporations. This is a lucrative business for them with typical extortion payments running into millions of dollars. The most common pattern here is to infect a company with a virus or other malware (known as ransomware) that encrypts your data so you can’t use your data or systems, or they could hack through an exposure in your network perimeter and then plant the ransomware directly. When you have been compromised, they will ransom your data by demanding you pay to have the data decrypted and to additionally avoid the attackers widely publicizing sensitive data they may have stolen.
Guidance Defending against these attacks has much in common with defending against other forms of cyber-attacks. It requires a set of basic IT controls be implemented along with comprehensive and well tested backups of your data and systems. You should have a comprehensive program beyond this, but at least do the following:
1. Patch and Secure. Keep all your systems patched and up to date – especially security patches. Implement and continuously monitor system security configurations, especially for critical systems like core systems, Active Directory, cloud services and perimeter networks. Use CIS benchmarks: https://www.cisecurity.org/cis-benchmarks/
2. Lock Down Privilege. Heavily restrict who has administrative privilege to download and install software in your environment – only a small number of trained system administrators should be able to do this. Block or constrain the use of portable media control like USB storage and encrypt what you do use.
3. Filter Content. Filter e-mail and Internet access such that spam, malware, phishing and malicious web sites are blocked.
4. Actively Defend. Run end point (on mobile devices, desktops and servers) security software to block and report viruses, ransomware and other malware and attacks. Implement software whitelisting so only known good software can run. Bring back activity logs to a central secure storage location.
5. Harden the Perimeter. Harden your Internet perimeter – make sure your web sites and Internet access are regularly scanned for vulnerabilities and those issues fixed. Make sure there’s no open ports are that easily accessible by attackers. Make sure firewall or other security gateways are reviewed regularly for the right rule sets.]
6. Strongly Authenticate Access. Implement strong authentication (hardware tokens, or authentication apps on smart phones) for any remote access to your environment or services you use in the cloud (e.g. Office 365).
7. Isolate Critical Data/Systems. Isolate and encrypt your most critical IT assets and data, such as customer records, payment information, core intellectual property, authentication systems (e.g. Active Directory) in a segmented part of your environment. Encrypt content on your mobile devices and enforce mobile device security.
8. Back Things Up. Back-up your data and systems and regularly test that works by recovering it to actual clean systems – not just inspecting the back-ups. Encrypt your back-ups. Make sure the back-ups are kept off-line or are otherwise immutable.
9. Manage Access. Manage identity and access to your on premise, cloud or vendor systems. When someone leaves have the ability to terminate all their access quickly. Check this is working constantly.
10. Check Your Vendors. Finally, for any vendors that could cause you or your customers problems if they have an issue with your data or services, then make sure they are doing these things as well.
Broader Considerations If you haven’t done a security penetration test recently then conduct one, and consider making the vulnerability assessment a regular process, and have the testing vendor focus on your ability to resist ransomware events. Also, whether or not you think you are in good shape you should develop an incident response playbook for ransomware events and conduct a leadership drill to test your ability to respond, and business continuity strategy in case of an attack (including but not limited to, Disaster Recovery Failover).
The playbook should include immediate escalation to the board, law enforcement, and information security vendors. Depending on the information that is compromised, you may also need to report to regulatory or other government bodies. You should consider whether any information compromised is considered Personal Data as that will create additional reporting obligations.
You should verify your cybersecurity and/or business disruption insurance policies to ensure ransomware coverage is in place.
This guidance is provided for the benefit of County Tipperary Chamber of Commerce membership companies and is not intended to be shared further. You should always consult your legal, compliance, risk or security teams or designated legal counsel before making critical decisions for your business.
Should you require additional guidance or support from IDPAA on any Data Protection related matters or concerns please contact Paula Carney-Hoffler on 052 614 6220/0872681891 or via email firstname.lastname@example.org
No part of this material may, without IDPAA Limited prior written consent, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) distributed to any person that is not an employee, officer, director, or authorised agent of the recipient.© 2020 IDPAA Limited All rights reserved.