After digesting the news that the EU-U.S. Privacy Shield framework had been invalidated by the Court of Justice of the European Union, I thought of the scene in Game of Thrones where Sansa and Jon share a knowing chuckle as snow gently falls around them:
Sansa: “Winter is here.”
Jon: “Well, Father always promised, didn’t he?”
As a GOT fan and Stark loyalist, “Winter is Coming” are my house words. Ned Stark may have lost his head but he knew what he was talking about – you need to expect and prepare for the worst at all times (now that I’m typing this, I think he would have been a better lawyer than Lord). As such, I wasn’t exactly surprised at the ECJ’s decision since there have been rumblings since the inception of Privacy Shield just a few short years ago.
Before I jump in, let me give a quick disclaimer - I’m not a European lawyer and I am perfectly open (and even welcome) the possibility that I’ve missed something in my analysis. Please reach out to me if you think that’s the case.
Background
Even before GDPR, U.S. companies who wanted to receive personal data from the European Economic Area, or EEA, had to take certain steps to legalize the transfers. Why? Because the transfer of personal data to “inadequate” countries is restricted by European law. Unfortunately for us, the U.S. is considered one such inadequate country.
To be clear, this has almost everything to do with government surveillance of a relatively small subset of communications. But whether we like it or not the tail is wagging the dog on this one and all companies have to deal with the repercussions.
You may be thinking to yourself, “What’s the big deal? Can’t we just put some language in the privacy policy and be done with it?”
Oh, my sweet Summer children, if only….
While the GDPR sets forth various mechanism for transfer, notice via privacy policy is not one of them. So while including a sentence like “By using this website, you consent to the transfer of your personal data from your country of residence to the United States,” might make you feel good, it’s not an approved safeguard (or a valid consent, for that matter).
Prior to about 3 weeks ago, companies also needed to implement official Binding Corporate Rules, implement Standard Contractual Clauses, self-certify to the Privacy Shield framework, or rely on one of the very limited derogations set forth in Article 49 of the GDPR.
SCCs
The ECJ’s July 16th judgment was sweeping. With Privacy Shield no longer an option and Binding Corporate Rules being prohibitively expensive and time consuming, most companies are left with “standard data protection clauses,” (generally referred to as Standard Contractual Clauses, or SCCs), as their only applicable “appropriate safeguard” under Article 46 of the GDPR.
As a brief side note, the ECJ’s opinion indicates that SCCs may only be acceptable with the “adoption of supplementary measures by the controller in order to ensure compliance with” the level of protection required under EU law. As of the time of posting, we are still awaiting guidance as to what those supplementary measures may be, but the scuttlebutt is that they will include things like encryption in transit to protect against government surveillance.
Either way, SCCs assume that you have one entity located in the EEA to act as the data exporter and a separate entity located in the inadequate country to act as the data importer. These two entities can be affiliates of the same corporate group or they can be two distinct businesses, but at the end of the day it takes two to tango, or in this case, to contract.
This means that SCCs are not appropriate for U.S. companies who:
(1) act as a data controller;
(2) but do not have an “establishment in the Union” to act as the data exporter; and
(3) do not have a third party co-controller in the EEA to act as the data exporter; but
(4) who are subject to the GDPR pursuant to Article 3(2) because they offer goods or services to data subjects in the EEA.
This is precisely why Privacy Shield (and Safe Harbor before it) was so valuable; it gave small to midsize companies a way to legally serve European customers without having to establish a separate presence in the EEA. Rather, these companies were merely required to designate a representative in the Union under Article 27 of the GDPR.
An unintended consequence of invalidating Privacy Shield is that these companies may need to establish an entity in the EEA for the mere purpose of having a data exporter to fulfill the SCCs. This is bizarre, to say the least, because it goes far beyond the actual language and apparent intent of the GDPR.
Derogations
If you dabble in privacy, this is where you might ask “What about those derogations you mentioned earlier? I see that Article 49 permits transfer where it’s necessary for the performance of a contract.”
It’s a good question but unfortunately it’s already been answered in this prior guidance from the European Data Protection Board, or the EDPB. Per the EDPB, we know that these derogations for performance of a contract are only applicable if the transfers are “not repetitive” and concern “only a limited number of data subjects.” The examples given are for one-time transfers relating to a specific individual or set of individuals. This does not reflect the situation of most e-commerce companies who are making continuous transfers in order to serve EEA consumers en masse.
In short, the derogations are to be used as an exceptional surgical instrument and not as an everyday tool.
Stuck between a Rock and a Hard Place
So where do we go from here? I hoped that the EDPB would address my SCC conundrum in its recent guidance issued on July 23rd, but I had no such luck. I even tried chatting this question to the Irish Data Protection Commissioner, who I hugely admire and consider to be my privacy Queen of the North but she refused the call*.
I have some practical ideas for how to embody the spirit of the SCCs without spinning up new legal entities. If you’re interested in hearing more, please don’t hesitate to engage me for help.
However, until we receive further guidance from the EDPB, companies with no establishment in the EU are stuck between the rock of SCCs and the hard place of derogations. The prevailing view in the privacy community seems to be that for now, EU Supervisory Authorities (aka data protection regulators) will not actively pursue enforcement actions around data transfers. Rather, it’s more likely they will raise this issue in connection with an enforcement action for a separate infringement of the GDPR.
That’s obviously cold comfort if you are the unlucky subject of such an action but hopefully it buys the rest of us some time. And there is always the possibility of a political solution, but I don’t think regulators or businesses have much appetite for a third iteration of Safe Harbor/ Privacy Shield/ whatever-the-next-thing-would-be-called.
*Bonus points for those who caught both GOT references in that sentence.