The Broken Privacy Shield: What to do now
Posted on: Thursday 23 July 2020 | IAB UK
Any company that has been relying on the EU-U.S. Privacy Shield Framework to transfer personal data from the UK to the U.S. will no longer be able to do so. But what does this mean for you and what do you need to do? We answer the pressing questions
It’s official: the EU Court of Justice has invalidated the U.S. Department of Commerce EU-U.S. Privacy Shield Framework in their landmark ‘Schrems II’ case. To summarise, this means that any company that has been relying on the Privacy Shield to transfer personal data from the UK to the U.S. will no longer be able to do so. The Court also reviewed the validity of Standard Contractual Clauses (SCCs) as an alternative basis for international data transfers and concluded that they remain valid. However, the decision emphasised the obligations on data exporters using SCCs to be able to demonstrate that the contracts they have in place provide a level of protection in practice that is essentially equivalent to the one guaranteed by the GDPR.
There are quite a few issues to unpack here, and the IAB in conjunction with the Lucid Privacy Group has distilled it down to the key points to help members understand the implications. However, you should seek your own legal advice where necessary.
Note: This Q&A assumes that the ICO is your lead Data Protection Authority (DPA) under the GDPR. If you have a different lead DPA you should refer to their guidance.
What caused this decision?
Simply put – U.S. surveillance laws and limited redress rights of EU data subjects, based on which the Court decided that the Privacy Shield does not provide adequate levels of protection. This complaint stems from the 2013 Edward Snowden revelations, and the decision is not entirely surprising given other previous EU Court decisions (e.g. Schrems I invalidating the U.S. Safe Harbor Program).
What has the ICO and the UK Government said?
The ICO issued a brief statement recognising that data transfers are vital to the global economy and saying that it will be working with other stakeholders to ensure that data flows can continue. It has since published a further statement referring companies to the EDPB’s FAQs and recommendations, which cover both to the Privacy Shield and SCCs, and said that it is considering its role in the oversight of international transfers. The UK Government’s response says that ‘it remains committed to supporting UK organisations on international data transfers’ and that it is working with the ICO and others to ‘ensure that updated guidance on international data transfers will be available as soon as possible’.
How do I know if this decision affects my company?
Identify all of your U.S.-based service providers, and review your agreements with them to see if there is a provision about their compliance with the U.S. Privacy Shield. Alternatively, you can review the Privacy Shield Participants List to see if your service providers are listed and then review their contracts.
What should I do now?
The ICO’s advice (as of 27 July) says: ‘Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.’We recommend that you review your existing supply chain and contracts to identify where you are relying on the Privacy Shield or SCCs (as above). Where you rely on the Privacy Shield, you will need to put alternative arrangements in place so it is worth beginning conversations with those service providers about what they might be. It is also likely that you will need to review and revise contracts that contain SCCs, given the Court’s decision on the adequacy of U.S. protections, so you should plan for that, too.
It is worth remembering that the Privacy Shield may not have been a valid legal mechanism for UK-U.S. data transfers after the end of the Brexit transition period (December 31 2020) Find out more in our briefing.
What are my company’s other options?
The GDPR provides for multiple other transfer options, the most relevant of which are set out below. For most companies, SCCs are likely to be the most relevant in the short-term. For full details see the ICO’s guidance on international transfers.
(a) Standard Contractual Clauses (aka ‘Model Contracts’): Adopted by the European Commission, these agreements enable companies to follow a similar set of terms to enable processing of EU data in countries that do not have adequacy agreements in place, and are likely to be the most appropriate mechanism for many businesses. These agreement terms cannot be modified (other than filling in the blanks), and are often attached as an addendum to a data protection agreement. Data controllers need to be satisfied that the terms of the SCCs can and will be complied with. This means you should carry out due diligence with your service providers.
You can download the existing agreement terms here. The ICO has also produced template contracts you can use, which include more explanatory notes and guidance: Controller to controller | Controller to processor. Note: As set out above, the ICO is reviewing SCC guidance so this, and potentially the templates, are likely to be revised.
(b) Binding Corporate Rules: Multinational corporations can establish a set of policies and procedures that are endorsed by all EU member country data protection authorities (DPA). This is a long arduous process, and only a small set of companies have achieved it to date. Even so, there are some on this list that you may already be working with who have BCR’s in place, such as Box, Cisco, HP, NetApp, Oracle, Salesforce, Twilio and Zendesk. Note: BCRs with the ICO as the lead Supervisory Authority are affected by Brexit and need to be amended to continue to be used beyond the transition period (For more details see here)
(c) Move your EU data from the U.S. to the EU (or another ‘adequate’ country), if appropriate: Many cloud providers and larger service providers have anticipated this issue, and now enable customers to choose their hosting locations for EU personal data. The UK has said, after Brexit, it will allow personal data transfers from the UK to the EU/EEA and to countries that have an existing EU adequacy decision. Take note – choosing to migrate to another service provider just for this reason is not likely to be necessary due to the other options available.
There are also other options available, and if you are unsure of the best course of action we recommend you seek legal advice.
What happens to companies’ Privacy Shield Certifications?
Nothing. These companies have a binding agreement with the Department of Commerce, and must fulfil those terms until their renewal is lapsed or terminated. The U.S. Federal Trade Commission can continue to enforce these terms, and service providers may rely upon them to provide reasonable assurances to corporate customers that they are responsible data stewards. However, the Privacy Shield can no longer be solely relied on to demonstrate compliance in practice with GDPR requirements that apply to international data transfers.
In August the U.S. Department of Commerce and the European Commission issued a joint statement saying that they ‘share a commitment to privacy and the rule of law’ had that they have begun discussions on developing an ‘enhanced’ Privacy Shield in light of the CJEU’s decision, so it is possible that new agreement may be reached in the future.
What if we don’t make any changes?
In the short-term, it is unlikely that DPAs will take enforcement against companies who have not implemented alternative data transfer mechanisms, particularly until they have issued further guidance. However, you should plan on the need to make changes and be ready to implement those changes once further guidance is available from the ICO.
Is there any new guidance?
The EDPB announced in September that it has set up a taskforce to ‘prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.’ In the meantime, you can refer to its FAQs.
What are my company’s next steps?
Identify all of your personal data service providers based in the U.S. If you have not completed a data mapping or Record of Processing Activities (ROPA), then now is the time to do so
Review the Privacy Shield and BCR companies lists and cross-check with your existing contracts to determine where you may need to supplement your existing agreements
Consider putting in place SCCs (together with carrying out appropriate due diligence) for any contracts that currently rely on the Privacy Shield. This is also a relevant consideration in the context of Brexit. Bear in mind that you may need to make further changes or once further guidance has been issued
Enhance your data protection agreements to include provisions that address transparency and response procedures in relation to Governmental requests for data, as well as security controls (e.g. encrypting data at rest)
Keep an eye out for updates from the ICO and the IAB
We will keep members updated as new information or guidance emerges.
Digital Advertising Guidance: DPIAs under the GDPR
Data protection impact assessments: When are they required? And what does a good DPIA process look like for the digital advertising industry?Learn more
Webinar: Update on IAB UK’s response to the ICO report
In December, we published our response to the ICO’s ‘Update report into adtech and real time bidding’, setting out our plan for action in six key areas...Learn more
Digital advertising guidance: special category data under the GDPR
What is special category data, how might it arise in digital advertising, and what are the restrictions on its processing under the GDPR?Learn more
June 2020 update on our Special Category Data work
As we launch our guide to special category data under the GDPR, find out what else we’re doing in this area to help members understand and minimise...Learn more