Piercing the Privacy Shield

The Privacy Shield framework was meant to allow for lawful transfer of personal data from the EU to the United States. Based on the Privacy Shield it was possible to legally transfer personal data related to data subjects in the EU to US-based businesses listed in the Privacy Shield list. Such transfers of data are much more common than expected by the general public as a lot of online services and remote software (including cloud solutions) are run on servers located in the United States.    

Privacy Shield was intended to be a suitable replacement for the International Safe Harbor Privacy Principles, which had been in place for many years until being declared invalid by the Court of Justice of the European Union (CJEU) in October 2015 in the case Max Schrems vs. Facebook Ireland (“Schrems I” decision).   

Having been in operation for merely four years, Privacy Shield was effectively pierced by another decision of the CJEU in July 2020: in its “Schrems II” judgment, the CJEU also declared the European Commission’s decision on implementation of the Privacy Shield invalid. This was reasoned by existence of invasive US government surveillance programmes (notably PRISM and UPSTREAM operated by NSA). As a result, transfers of personal data on the basis of the Privacy Shield were considered illegal.

In addition, the CJEU set forth stricter requirements for the transfer of personal data based on standard contract clauses (SCC) which is a special agreement between the parties exchanging the personal data.

Therefore, despite having valid SCC in place, data controllers and processors transferring data based on that SCC have to ensure a level of protection equivalent to that guaranteed by the General Data Protection Regulation (GDPR). This may be achieved by putting additional measures and safeguards in place (sophisticated encryption methods etc.)   

Unfortunately, the broader implications of Schrems II judgement are not yet entirely clear. Some experts argue that personal data transfer to the US should not take place at all as the surveillance programmes are designated to penetrate almost any conventional safeguards. Other legal professionals contradict this citing SCC and additional safeguards (if necessary) as sufficient and proportionate, in particular taking into account economic interests of the transatlantic trade.

However, the European Data Protection Board and many data protection authorities in the EU member states made it clear that the liability is with the entities transferring the data to the US: it is up to them to decide on a case by case basis, whether SCC are sufficient for the given purpose, or extra safeguards have to be taken.

This is a rather unfortunate attitude as the vast majority of businesses cannot properly assess to what extent US surveillance programmes can affect the personal data processed by them, thereby putting them at risk for non-compliance with GDPR and local data protection rules.

But there is a silver lining: local authorities overseeing data protection will be hardly in a position to distinguish appropriate level of protection for transferring the data as the details of the US surveillance programmes are kept top secret.

Finally, Brexit which was formally completed as of 31 December 2020 can make data transfers to the United Kingdom as well challenging. After leaks by Edward Snowden, it is no secret that the British intelligence agencies run their own online surveillance systems (codeword Tempora). Will the EU pick up the gauntlet?

Mgr. Radek Werich