People Intouch has always warned organisations that processing sensitive company data in the U.S., will put this data within reach of intrusive U.S. Authorities (e.g. DOJ, NSA, DHS). This month’s ruling in Schrems II by the Court of Justice of the European Union confirms our concerns on this matter and stresses the importance to think about where you want to process your company’s sensitive data relating to misconduct.
On July 16th, the CJEU invalided the EU-U.S. Privacy Shield Framework in its Schrems II decision. The Privacy Shield was the legal basis on which 5.000+ companies relied to transfer personal data from Europe to the U.S. in a compliant manner. Also, for companies not relying on the Privacy Shield for compliant processing, the invalidation will have significant impact as the ruling stresses the difficulties that can come with transferring your data to the U.S. and safeguarding it adequately.
The GDPR creates a European wide level playing field for the protection of personal data within the European Union. The transfer of personal data outside the EU should adhere to an equivalent (high) level of protection. To accommodate cross-border transfer outside the EU, the European Commission provides adequacy decisions for specific countries. An adequacy decision consists of an implementing act and an examination procedure, including criteria such as respect to the rule of law, access to justice and international human rights standards. An adequate decision for a specific country safeguards the international transfer of data to that specific country. Next to adequacy decisions, data transfers can also be carried out in a GDPR compliant manner by e.g. entering into Standard Contractual Clauses (adopted by the European Commission, but currently also under scrutiny) or binding corporate rules.
The Privacy Shield was not the first agreement that was designed by the European Commission to provide equivalent protection for the transfer of personal data to the U.S. The predecessor was the Safe Harbor Framework, which was approved 20 years ago. The Safe Harbor was invalidated by the CJEU in 2015 in Schrems I, because it lacked sufficient protection of fundamental rights equivalent to those in the European Union. The U.S. placed national security, public interest and law enforcement above the Safe Harbor principles for the protection of personal data.
The European Commission formally approved the EU-U.S. Privacy Shield in 2016 as an improved successor to the Safe Harbor. The Privacy Shield provided a voluntary certification program for which companies could sign up. Companies applying for the certification program had to be qualified and commit themselves to the Privacy Shield principles. These principles included e.g. accountability for onward transfer, data integrity, access and liability. However, on July 16th the CJEU ruled that also the Privacy Shield does not provide enough safeguards. Specifically, the Privacy Shield does not provide enough guarantees to keep the transferred personal data safe form U.S. surveillance programs. Furthermore, the Privacy Shield does not grant European data subjects sufficient enforceable rights and effective legal remedies in the U.S.
The CJEU judgment once again underlines the difficulties that come with transferring company sensitive data to the U.S. As the Privacy Shield no longer forms a valid legal basis for international data transfer, the organisations relying on it will need to make new arrangements to remain compliant with the high European standards for data protection. A case by case analysis will need to be made to safeguard their data, if they want to continue transferring their data outside of Europe.
More details on the CJEU Schrems II judgment can be found here.