How do US businesses handle data transfers with the EU going forward?

Last month, the Court of Justice for the European Union issued its ruling in Data Protection Commissioner v. Facebook Ireland and Schrems. The court's ruling invalidated the "adequacy decision" made by the European Commission on the EU-US Privacy Shield, which provided a framework for regulating personal data transfers between the EU and the U.S. The demise of the Privacy Shield is one more nod to the fallout from Edward Snowden's 2013 revelations regarding U.S. surveillance on personal communications.

The EU views privacy as a fundamental right, while the United States views it as a property right. Therefore numerous safeguards were built into the EU's recently enacted General Data Protection Regulation to ensure data subjects' personal data is protected during transfers to countries not part of the EU. Article 45 of the GDPR mentions transfers on the basis of an "adequacy decision" -- that is, a decision ensuring a country ensures a level of personal data protection that conforms to EU law.

The United States had been found to be inadequate, but mitigated it through policies. In July 2000, the EU Commission adopted the Safe Harbor Adequacy Decision. This recognized the Safe Harbor Privacy Principles the Department of Commerce issued as being sufficient for personal data transfers between the EU and U.S. Later, after the Safe Harbor was deemed inadequate, came the Privacy Shield, which was supposed to provide clear limitations on public authorities' access to data, to end indiscriminate mass-surveillance of EU citizen's data when transferred, and to allow businesses to self-certify as compliant. Over 5,000 companies, from small to large, have been certified by the Privacy Shield and rely on this process for trans-Atlantic data transfers.

The CJEU cited several key issues in its findings as to why United States data security is not adequate. One is the principle of proportionality, where surveillance in the U.S. is not limited to what is strictly necessary to balance with EU laws. This goes toward the limitations of protections on the transfer of data subjects' personal data in the EU due to U.S. surveillance access and use by U.S. public authorities. Data subjects are exposed to "unlawful (electronic) surveillance for national security purposes" by the U.S. and they lack redress for this intrusion. In particular, the court singled out Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, which fail to grant "data subjects rights actionable in the courts against the US authorities." The court also found the Privacy Shield's requiring the posting of an ombudsman to be a mechanism that lacks teeth because the position does not include "power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely."

If you ever wondered what difference a single person could make in this world, look no further than Max Schrems. His story is a David and Goliath parable, set in the arena of global privacy battles. Schrems is an Austrian privacy advocate who took Facebook to task for privacy violations and won. Schrems originally filed a complaint with the Irish Data Protection Commissioner regarding standard contractual clauses, or SCCs, used to transfer data from the EU to the U.S. The first incarnation of this case, Schrems I, led to the CJEU in 2015 invalidating the Safe Harbor Framework, the predecessor to the Privacy Shield. Then, on July 16, the CJEU's Schrems II decision felled the Privacy Shield. All because Schrems filed a complaint about how private data was being transferred between the EU and U.S.

The irony is that Schrems originally had issue with the SCCs. However, in December 2019, the CJEU advocate general in Schrems II gave qualified approval of SCCs, finding these written instruments to be a valid mechanism for the transfer of data. The caveat was that companies employing SCCs had to examine the national security laws of their own country to determine if the SCCs were in compliance with GDPR. The ruling by the CJEU last month aligned with the advocate general's opinion.

Going Forward

Although the CJEU found SCCs to still be valid, one interpretation could be that SCCs and any personal data transfers might be unlawful with the United States due to our snooping habit. This perspective follows the line of thinking that if the Privacy Shield was found to not sufficiently protect personal data transfers from intrusions by U.S. surveillance, then how could SCCs stating compliance be any different? Although the burden is on the data exporter, the importer must be able to answer exporter's questions about handling of personal data. Companies need to ensure data transfers are safe and comply with GDPR. If not, the company should not initiate data transfers at all. A paper trail is necessary to show analysis and assessment of the company's capability to comply. A company should examine the data it receives in the context of government surveillance -- i.e., has the intelligence community ever wanted this information? Think about factors regarding transparency such as volume and frequency of FISA requests, and the information sought in those requests.

Other alternatives for companies include the localization of data in Europe for U.S. data, and even data minimization, so that companies can limit what information they take from data subjects. Other options are derogations, but those are quite limited. Binding corporate rules are not much better of an answer, as they only apply to intra-organization data transfers, and down the line, those rules could be challenged in the same vein as SCCs. 