Privacy Shield Not Mighty Enough for GDPR: EU-US Data Protocols Post-Schrems II
U.S. government surveillance has repeatedly been in the news, highlighting the larger U.S. surveillance system of foreigners and the incidental gathering of Americans’ communications. The U.S. government’s surveillance capabilities and long-standing policies have sparked concern and reaction from the European Union (“EU”), and now, in response to a European court ruling, European partners are reaching out to their U.S. counterparts asking to amend existing contracts to strengthen or install protections concerning European data. How U.S. entities respond to such requests can determine whether their commercial relationships continue uninterrupted and potentially give them a leg up against the competition.
The General Data Protection Regulation, or GDPR, requires that data sent outside of the European Economic Area (the EEA) receive the same protections that it does inside the EEA. In simplified terms, this includes protection from access to personal data without consent or other legitimate legal basis, and places purposive and proportionate requirements on that access. Until July 2020, data sent from the EU to the U.S. was considered to be protected from such access by the U.S. government under an arrangement between the EU and the U.S. called the Privacy Shield. In Schrems II, however, the Court of Justice of the European Union (CJEU) concluded that the Privacy Shield did not sufficiently protect European data from U.S. government snooping. The July 2020 decision focused on U.S. laws like Section 702 of the Foreign Intelligence Surveillance Act, which—broadly speaking—permits the U.S. government to demand that U.S. internet and email providers turn over data of foreign persons who are located outside the U.S. LBKM has experience with these laws, having advised clients concerning their reach and the government’s implementation of them. According to the CJEU, the existence of such laws and government practices under them means that the Privacy Shield does not meet the GDPR’s privacy standards.
This ruling means that companies in the EU that need to send data to the U.S. can no longer rely on the Privacy Shield’s general, ex ante authorization to do so. Under these circumstances, participants in a data transfer from the EU to the U.S. must identify other adequate means to protect data. The primary method permitted under the GDPR are pre-approved standard contract clauses concerning data protection. But the Schrems II opinion makes clear that companies relying on these standard contract clauses alone for data transfers may be non-compliant. Instead, companies will need to assess the law and practices of the country into which the data is being transferred to determine whether additional measures to supplement the contractual provisions are required to ensure GDPR compliance. In order to be both accurate and comprehensive, these legal and practical assessments require legal acumen and robust, plugged-in local connections.
The Schrems II decision left private actors scrambling. In response, the European Data Protection Board (EDPB), a European agency that applies the GDPR, recently published recommended supplementary measures that can be added to the existing standard contractual clauses to enhance privacy protections. The recommended supplementary measures include technical solutions like data pseudonymization and contractual solutions like audit rights, requirements to inform counterparties when GDPR compliance is no longer possible, and so-called “warrant canaries,” whereby the recipient of data undertakes to provide regular notifications that the data remains undisclosed. While the EDPB’s recommendations offer guidance to ensure legal compliance, they place the burden of implementation on private companies and require continual effort and engagement, which is why European partners are reaching out and why you should be prepared for their calls.
It is not, however, clear whether private solutions will be sufficient to permit the transmittal of data from the EU to the U.S. The U.S. government is unlikely to abandon its reliance on far-reaching surveillance tools and foreigners outside the U.S. have little to no expectation of U.S. Constitutional protections. For these reasons, although negotiations are ongoing between the U.S. and the EU for a replacement for the Privacy Shield, a speedy solution seems doubtful.
Still, commerce advances, and data transfers from the EEA to the U.S. continue. Until a replacement for the Privacy Shield is agreed, private actors will have to do their utmost to assure the privacy of European data transferred to the U.S., without the Privacy Shield. This is likely to lead to a flood of requests from EU entities to U.S. counterparts seeking amendments to existing contracts to enhance privacy protections for their data transfers. EU parties may also seek information on U.S. legal systems and the laws and regulations governing privacy to enable them to assess any risk that their data privacy will be breached. Requests from your European partners for regular assessments, contract reviews, and contract amendments will be the norm going forward. Still, their proposed changes must be scrutinized to ensure that they are harmonious with local laws and regulations and practically and technically feasible. LBKM can help with both ex ante and post hoc assessments and contract drafting and amendments.
For further information please contact:
- E. Jon A. Gryskiewicz at jon.gryskiewicz@lbkmlaw.com or +1.202.659.6749
The foregoing is for informational purposes only. It is not intended as legal advice and no attorney-client relationship is formed by the provision of this information.