When the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Safe Harbor framework in 2015 we could hear there was a clear path for organizations to take to maintain transborder data flows. Safe Harbor was gone, and it was time to use standard contractual clauses (SCCs).
Here five years later, the CJEU made another landmark decision when it invalidated the EU-U.S. Privacy Shield agreement with its “Schrems II” ruling. The SCCs remained legally valid, but additional safeguards would be needed for them to still be used.
While the sense of shock isn’t as striking as it was compared to the initial “Schrems” ruling, reality is that privacy professionals have faced a far murkier path following the court’s determination this past summer.
Sure, there are actions in terms of assessing your transfers when you then come and look at the safeguards that might be appropriate, it is now even harder to implement those. It is also less certain what to do. If you are looking at contractual safeguards, for example, organizations only want to negotiate once. The added transaction cost in doing it now and then as one discovers that the standards have changed slightly will be high.
The confusion over the lack of guidance in the days after the court struck down Privacy Shield was a concern for privacy professionals. At Lanell we are monitoring the level of uncertainty that assuaged when the European Data Protection Board published its recommendations for post-“Schrems” data transfers in November. The road ahead may be tenuous for a large number of entities; however, there are steps organizations can take to avoid legal issues down the line.
Consequently, we are at Lanell Equity evaluating companies in the data security industry as organizations will need to look at encryption and pseudonymization as tactics to implement for certain data transfers. For those organizations with a heavier volume of global data flows, it may require a far deeper dive.
Especially organizations that are very dependent on data transfers, now have to look at what it would take to alter things in the next steps, because this is not something that you can change overnight. As companies will begin to realize that this might take them to actually rearchitect their solutions, looking at the impact on services and looking at whether there are actually alternative service providers for them to move to are all things the market will be looking for.
Part of the reexamination will be vetting cloud service providers that act as data processors. The simple advice is for companies to avoid cloud services providers that need to access data in plain text. Providers that need to interact with data in a meaningful way will ultimately need plain text data but finding an infrastructure-as-a-service cloud is one way to comply with the decision. The plain text issue was noteworthy enough for the European Data Protection Board (EDPB) to include a section on the topic in its recommendations.
One of the points the EDPB mentioned in its recommendations is that when an organization needs access to the data in plain text, it is very difficult to have effective safeguards. In fact, if there is an ability for national security agencies or law enforcement agencies to access that data and the organization has the data in plain text, it is very difficult to preclude that.
The “Schrems II” case may have focused primarily on U.S. surveillance laws, but it doesn’t mean everyone else should assure they are not affected: Any entity importing or exporting data to a country where law enforcement has the ability to access exported European data must adhere to the ruling. The EDPB notes it is not just the initial data transfer that needs attention, but also every single transfer afterward. It is also why vetting cloud service providers have become an even more vital practice.
A company might transfer data to a parent organization for administrative purposes and that parent organization might not be subject to these particular laws. However, it is worth noticing that if that parent organization uses a service provider, who in turn uses another service provider, who in turn ends up using a cloud service provider then the decision is suddenly relevant for that company too. And because almost all processing of data, at some stage, ends up with a cloud service provider and therefore the decision is almost universally relevant.
Niels Stenfeldt have already brought this forward to the Danish “EU Business and Regulatory Forum” where he is a special appointed member in the by the Danish Minister for Industry, Business and Financial Affairs in Denmark, Simon Kollerup.
But the goes beyond Europe as another problem may be the legislative chasm between the EU and U.S. Due to the gap between U.S. surveillance laws and the standards in the EU it is hard to hard to imagine an agreement standing up to another legal challenge: There’s a lot of work that need to be done to bring those surveillance laws to the EU standard.
While the future of a Privacy Shield successor may be in doubt, we will see a new iteration thanks to the European Commission’s draft implementation decision that came out in November.
However, the final SCCs will likely not be a one-to-one match of what is currently in the draft decision. If an organization can wait until the final SCCs are unveiled, they are going to be in good shape. But for those data transfers that relied on Privacy Shield, the current SCCs must be used even though they will be reworked once again in short order.
Until then, privacy professionals will have to wait for the day when the revised SCCs come to town. But since the EDPB and EDPS will have to issue their own opinions on the commission’s draft, it is highly unlikely the revamped SCCs will be ready by the conclusion of 2020.
And regardless of when they come, the reworked clauses represent a paradigm shift in transborder data flow, and it will be imperative for organizations in the EU, U.S. and around the world to take notice.
We cannot go back to the situation before ‘Schrems II’ where companies signed SCCs, whether they are the old ones or the new ones, and not think about the broader context of the data flows. And the additional due diligence that is required by the ‘Schrems II’ decision is still going to be necessary for these new SCCs and will grow the underlying data security market substiantially in 2021 and forward.