The End of EU-U.S. Privacy Shield

On July 16, 2020, the European Court of Justice (CJEU) issued a landmark ruling in case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (more commonly referred to as Schrems II). The court found that U.S. national intelligence laws (FISA 702 and Executive Order 12333) provide inadequate privacy protection for EU data subjects, who may be (knowingly or unknowingly) surveilled by U.S. government authorities. The CJEU ’s decision immediately invalidated the EU-U.S. Privacy Shield framework as a legal mechanism to support the export of EU data subject personal information to the U.S. for processing.

While the CJEU’s decision upheld the Standard Contractual Clauses (SCCs) as a legitimate legal mechanism to enable cross-border transfers from EU based controllers (data exporters) to U.S. processors (data importers), conditions have been imposed to mitigate the risk of data interception by U.S. federal authorities, through the implementation of supplementary measures.

The European Data Protection Board (EDPB) immediately issued a set of frequently asked questions, to provide guidance for future transfers of personal data to the U.S., which also elaborates on the supplementary measures. The EDPB insists that controllers must assess the privacy risks associated with each processor “following a case-by-case analysis.” The EDPB has suggested that U.S. processors should implement supplementary measures to mitigate the threats that led to Privacy Shield’s downfall.

In this blog, we provide guidance regarding the supplementary measures in the context of GDPR compliance, as well as their function in a formal privacy program.

Why Standard Contractual Clauses Outlasted EU-U.S. Privacy Shield

As their name suggests, the SCCs are pre-defined contractual clauses that define appropriate data safeguards requirements for all controllers, processors, and sub-processors involved in exports of EU personal data in compliance with Article 46. In fact, the SCCs are “the most widely used mechanism by companies transferring personal data outside the EEA.”

At their core, both the SCCs and the EU-U.S. Privacy Shield were legally binding frameworks that ensure data importers will protect EU privacy rights, in accordance with EU laws. This is the commitment that U.S. organizations who want the privilege of providing service to Europeans have to make.

Every organization around the globe that regularly processes EU personal data for any reason must comply with GDPR. Under Article 24.1, “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed,”…”taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.”

Article 24.2 requires the “implementation of appropriate data protection policies by the controller,” which should include data processing and protection requirements, defined in contracts or Data Processing Addenda (DPA).
Article 28.1 mandates that ”processors provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Under EU-U.S. Privacy Shield, the EU allowed the FTC (under the authority of the U.S. Department of Commerce) to validate the compliance of U.S.-based processors. The assumption was that controllers could rely on the EU-U.S. Privacy Shield self-attestations held by their U.S. vendors to demonstrate GDPR compliance. Unfortunately, as Max Schrems ably pointed out, “The Court clarified for a second time now that there is a clash of EU privacy law and U.S. surveillance law.”

Unfortunately, the lack of trust between EU officials and their U.S. counterparts has made the EU-U.S. Privacy Shield arrangement untenable. By steering former Privacy Shield participants toward the more common SCCs, the CJEU ensures that EU controllers become directly accountable for the protection of personal data while those data are in the possession of U.S. processors.

Implementing Supplemental Measures

If a company’s senior leaders have instructed the organization to prioritize the implementation of SCCs to keep the factory running, efforts will need to be focused on initiatives that strengthen the following privacy program components and controls:

Risk assessment – privacy, compliance and security, with strong focus on data protection
Data minimization – encryption at rest and in transit, tokenization, anonymization, deletion after processing
Strong access controls – restrict the number of people and systems that can access personal data
Records of processing – Personal Information (PI) inventories and data flow documentation.

These privacy controls should be applied to all personal data and processing systems in an organization’s control. As a bonus, these efforts among others will be equally effective in helping to meet the “reasonable security” requirement under CCPA.

We offer the following recommendations for supplementary measures to help address the threats that led to EU-U.S. Privacy Shield’s downfall. The European Union and United States continue to negotiate a replacement for EU-U.S. Privacy Shield that will likely include more stringent data protection measures. These supplementary measures are likely to be mandated by the EDPB in the next iteration of a transatlantic data sharing framework. This list is not all encompassing, and these controls may not be suitable for all organizations. These supplementary measures should be implemented in accordance with an organization’s risk profile, on a case-by-case basis.

Supplementary Measure	Description
Risk Assessment / Risk-Based Approach to Data Protection	Conduct internal privacy risk assessments to determine the strength of privacy and security safeguards and organizational vulnerability due to threats. Consider all implemented supplementary measures (from this list) in the risk assessment, which should improve the organization’s risk profile. Considering the EDPB’s guidance, EU-based controllers will have to demand transparency of U.S. processors to self-assess and report their privacy risks, threats, safeguards and breaches. Consider using an independent assessor to strengthen the case for GDPR compliance.
Pseudonymization	The controller replaces identifiers with unique IDs (tokens) for each data subject prior to transferring the data to processors. The processor should not have access to the key for those IDs. The controller will be able to reidentify data subjects after the processor returns the processed personal data.
Anonymization – Substitute Fake/Test Data to Protect Identities	The controller uses format-preserving techniques to replace the personal data with fake identities while maintaining the look, feel and utility of the original data. Importer does not need to be aware, if and when, this approach is used.
Data Sovereignty and Strong Access Controls	The controller keeps the data hosted in the EEA and allows the processor access to the data from EU locations only. U.S.-based processors who have EU-based processing facilities should consider moving the workload to remain in the EU. Controllers and processors should consider the risks that subcontractors introduce and make appropriate risk-based decisions about future personal data transfers.
Data Privacy by Design / Data Minimization	Design data protection into the solution – PRIOR to transmitting over a service provider’s media.
Importer Use Restrictions and Deletion Mandate	The processor agrees to process the personal data upon receipt and immediately deletes the data upon completion of the processing activity.
FISA Applicability Assessment	The Office of the Director of National Intelligence writes, “Section 702 is a key provision of the FISA Amendments Act of 2008 that permits the government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information.” The definition of “electronic communication service providers” includes telecommunications firms and Internet service providers, including Facebook and Google, who may be obligated to assist the U.S. federal government under a FISA 702 directive. Following the Schrems II ruling, the Irish Data Protection Commission (DPC) issued a preliminary order to Facebook demanding the suspension of EU to U.S. data transfers. Companies who rely on platform services such Facebook and Google to conduct business with Europeans should revisit their Privacy Impact Assessments soon, to account for potential business interruptions, if and when EU regulators halt transatlantic data transfers.
Vendor Diversity	The controller divides different steps of a processing activity between processors to reduce exposure risk with each importer. The controller may select processors based primarily in the EU, or in countries that have received positive adequacy decisions. U.S.-based processors should consider the risk associated with importing data to the U.S., given the CJEU’s concerns. US processors relying on ‘electronic communications services providers’ for data transmission only should identify multiple carriers to mitigate the risk of service interruption.
Strong Encryption	GDPR Article 32(a) specifically requires the “encryption of personal data” The EDPB (in its former guise, the ARTICLE 29 Data Protection Working Party) issued its “Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU,” (April 11 2018). The EDPB’s opinion is that: “the availability of strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens.”
Contractual Controls	US processors must contractually commit to notifying the controller when they can no longer comply with the obligations under the SCCs. If business conditions or the risk profile of the US-based processor changes at any point during the contract period, the processor would alert the controller, who would immediately discontinue its exports of personal data to the controller, until such time that the controller can confirm its ability to comply with contractual terms and conditions.

Closing Notes

The European Council and U.S. government are already negotiating a replacement for EU-U.S. Privacy Shield, in accordance with GDPR Article 50 – International cooperation for the protection of personal data, which requires “the Commission and supervisory authorities” to:

“develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;” and
“promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.”

Legal challenges will continue to influence the next framework for data exports to, and imports from, the U.S.

How Protiviti can Help

Our privacy consultants bring deep expertise in regulatory requirements and privacy strategy implementation. We can support your business in a variety of privacy related efforts including:

Privacy risk and maturity assessments against generally accepted privacy frameworks
Compliance with regulatory obligations; assessing gaps and developing compliance roadmaps
Guidance on strategy development and technical assistance in the implementation of security controls
Independent assessments of privacy programs, including policies and procedures impacting data collection, minimization and storage limitation
Review of third-party and cross-border transfer documentation
Development of record of processing activities, data inventories and data flows
Legal support in response to consumer and internal requests for access to personal data

To learn more about our privacy and compliance capabilities, contact us.