How to survive in a post-privacy shield world

GDPR compliance has never been easy for American companies, but it just got a whole lot harder. The recent Schrems II decision by the CJEU invalidated the Privacy Shield framework that many American and multinational companies have been relying on.

Fortunately, the EDPB has released new guidelines for importing and processing private EU data outside the EU. While the new guidelines somewhat mitigate the challenges posed by the loss of the Privacy Shield framework by updating rules around SCCs, the guidelines still leave a lot of unanswered questions about GDPR compliance requirements. Here’s how your business can protect itself while courts and legislators around the world continue to iron out the fine details.

What was Privacy Shield?

Privacy Shield was a GDPR framework for transferring data between the EU and the US. Among other things, it required organizations to inform individuals about what data the organization collected, their data practices, and the rights individuals had over their own data stored by the organization.

It also restricted how organizations could use data, and provided a legal framework that was supposed to allow EU citizens legal redress if their data privacy rights were violated in America.

While organizations are still free to sign on to the Privacy Shield, it is no longer a sufficient cross-border data transfer mechanism.

What was the Schrems II decision?

Schrems II was a court case initiated by Austrian attorney and privacy activist Max Schrems. It is the second case brought by the privacy activist to challenge the way the EU enforces the privacy and security rights of European citizens online. Both cases have had a major impact on GDPR compliance requirements around the world.

In July, 2013, the Schrems I case began when Max Schrems petitioned the Irish Data Protection Commissioner to stop Facebook Ireland from transferring private EU data to its parent company in the United States. European data privacy rights prevent governments and companies from accessing private data without the subject’s permission, except under very specific conditions. In the wake of Edward Snowden’s NSA whistleblowing, Max Schrems believed that those rights couldn’t be protected when data is processed or stored in the US, because American intelligence and law enforcement have broad powers to access the data of private citizens.

In October 2015, Schrems won his first case, and the CJEU struck down Safe Harbor — a set of principles that governed data transfer between the EU and the US at the time. In July 2016, a new trans-Atlantic GDPR framework was adopted: the EU-US Privacy Shield.

However, in the meantime, Max Schrems had been litigating Schrems II, which was essentially a new phase of the same case. His complaint was that nothing had really changed — Facebook was using a different legal framework called SCCs to transfer its data, but European citizens really had no more protection from government surveillance than before.

The case was again referred to the CJEU. In July 2020, the court invalidated the EU-US Privacy Shield Decision, but did not invalidate SCCs. The court conceded that US law does not provide adequate protection for EU privacy rights, and that EU citizens are not able to challenge privacy violations in US court — something that the Privacy Shield was supposed to address with the appointment of an Ombudsperson in the US State Department. However, they stopped short of barring the transfer of data from the EU to the US.

Instead, the CJEU asserted that SCCs can be used to ensure data is protected to EU standards in non-EU countries, as long as the organizations responsible for personal data put in place adequate protections, including stopping the transfer of data when they can’t adequately protect it.

To provide clarification about how to do that, the EDPB published a set of final recommendations on “supplementary measures” organizations should put in place to protect data during international transfers and processing. You can read the full document here.

How do the EDPB guidelines change GDPR compliance?

So what’s the problem? You’re probably already using Standard Contractual Clauses (at least, you really should be), so you’re in the clear, right?

Well, not exactly.

The problem is that standard contractual clauses don’t provide the same level of legal protection they did before the Schrems II decision. The EDPB guidelines say that even when SCCs are adopted, cross-border data flows might still violate GDPR compliance in certain situations. It’s now your responsibility to determine whether it’s possible to fully protect the privacy of European citizens in your country, or whether the laws make it impossible.

How to comply with GDPR under the new guidelines

In a nutshell, the EDPB guidelines require you to do four things before you transfer data to a non-EU country, such as America:

1. Have SCCs in place with vendors and customers.
2. Assess other countries where you are processing European data to ensure that they have robust checks and balances in place before they can surveil people.
3. Consider if there are any additional security safeguards you need to take when European data enters that country.
4. Put those protections in place.

The guidelines divide the process up into six steps:

Map your transfers

Before you transfer data out of the EU, you need to map which countries your data is flowing to. This includes not just the country your business is located in, but any countries where you’re storing data in the cloud, and the countries where any partners you’re entrusting data to are located. For example, if you’re hiring overseas support and they’re going to have any access to customer data, that needs to be part of your data mapping for GDPR compliance purposes.

You also need to verify that the data you’re transferring is “adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed,” to comply with the GDPR principle of data minimization.

Identify what legal GDPR framework you’re using for data transfers

Check to see whether the countries involved in data flow have been certified by the European Commission as providing adequate data protections. An adequacy decision means that a country provides essentially the same level of data protection as the EU does. If all the countries where you’re transferring data are adequate, you won’t have to take any further steps. So far, the EC has recognized: 

• Andorra
• Argentina
• Canada
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• South Korea
• Switzerland
• the United Kingdom
• Uruguay

If you’re transferring data outside of these countries, you’re most likely transferring under article 46, which allows you to transfer with “appropriate safeguards” such as SCCs.

In most cases, SCCs are the appropriate legal GDPR framework for cross-border data transfers.

Identify any obstacles to GDPR compliance

This is where things get hairy. The EDPB expects you to evaluate laws, law enforcement practices, and other factors that might interfere with your ability to uphold EU data privacy standards, and document your findings. Keep in mind that the Snowden NSA spying revelations were the original basis for Schrems I, so if you’re importing data into the US, you need to take a close look at surveillance law and practices, and how they might interfere with your ability to uphold EU data privacy protections.

Add protections to raise privacy to EU standards

The required standard is known as “essential equivalence.” This means that your SCC, combined with your supplementary measures, need to add up to the same level of protection as EU law.

The EDPB recommends a range of measures, depending on the particular obstacle. These include:

• Anonymizing the data before transferring it out of the EU, so that it can’t be linked to specific people
• Encrypting the data with strong encryption, while storing the keys and controlling access from the EU, or an EC-recognized country.
• Splitting the data up so that the parts in non-recognized countries can’t be used alone to identify individuals, even if they are intercepted by authorities

If you aren’t able to bring your protection up to essential equivalence, you can’t import the data.

Put the procedures you identified in place

This one is self-explanatory. Implement all the controls you identified.

Monitor legal developments in the country

You should monitor law enforcement activities and new laws in the country to identify any changes that might interfere with your GDPR compliance or require new controls. Regularly revisit your controls, and update them as necessary.

Tips for surviving the GDPR compliance uncertainty

The new guidelines leave a lot of uncertainty around business activities outside of European and EC-recognized countries. Eventually European authorities are going to have to rule explicitly on whether companies can take European data to the US.

Until that happens, here are some tips to minimize your legal risk:

• Be as deliberate and transparent about your data practices as possible. Develop an internal policy on what data you will turn over to law enforcement, and under what circumstances, and share that policy with consumers.
  
• Continue to monitor how law enforcement handles consumer data, and take any precautions you can to mitigate the misuse of data.
  
• Keep an eye on EU enforcement actions around GDPR compliance. Most commonly, penalties were given over companies either not handling consumer requests for data deletion or data access, or not being transparent about their data practices. You can significantly reduce your risk simply by responding to consumer data requests and being transparent about how you use consumer data in your privacy policy.
• Each DPA in the EU has its own enforcement priorities, and each jurisdiction within the EU may have construed the GDPR in particular ways. If you have an outsized presence within one subregion of the EU, keep an eye out on those countries’ DPAs’ guidance and enforcement priorities.
  
• Your business model and customer base matter. Businesses in different sectors will naturally attract different levels of scrutiny. And although the GDPR is largely uniform across the EU, individual EU members are allowed to apply the GDPR slightly differently from one another in certain areas of the statute – including regarding whether prior consent is needed to send marketing messages to B2B prospects online. Make sure all internal business units that could be impacted by these regulations are aware and following best practices in whatever way they may vary across EU jurisdictions.

How TerraTrue can help

Whatever happens next in European privacy law, mapping the flow of data throughout your organization will be crucial to GDPR compliance. TerraTrue can help you record all the details around where your data is flowing, how it is being processed, and who has access, and facilitate a coherent data privacy strategy that keeps your consumers and your organization safe. Request a demo today, or contact us for more information.