Whether your business is multinational or not, it’s likely that at some point information containing personal data will need to be transferred from Europe or Switzerland to the United States. Personal data is defined broadly to include any information which is related to an identified or identifiable natural person. For instance, a U.S.-based online business which is collecting or processing names, addresses, and credit card information to fulfill orders for its products from European or Swiss persons must be familiar with the rules governing cross-border transfer. The same applies to a U.S.-based service business which is collecting or processing names and health information to track outbreaks of COVID-19 globally.
Over the last 20 years, there have been two government approved frameworks implemented to control data transfer, namely the U.S.-EU Safe Harbor Framework (Safe Harbor) and Privacy Shield. Both were invalidated by the Court of Justice of the European Union (CJEU) based on lawsuits brought by Maximilian Schrems. On March 25, 2022, President Joseph R. Biden and European Commission (EC) President Ursula von der Leyen jointly announced an agreement in principle for a new Trans-Atlantic Data Privacy Framework (Framework) that has the potential to establish the rules of European to U.S. data transfer.
While not many details are currently available, the Trans-Atlantic Data Privacy Framework will include a multilayered redress mechanism for EU citizens to file complaints with a Data Protection Review Court containing non-U.S. government members with the authority to “adjudicate claims and direct remedial measures as needed,” as noted in the White House release. Procedures will be followed by U.S. intelligence agencies to “ensure effective oversight of new privacy and civil liberties standards.” The next step is for the EC to draft an adequacy determination for the European Data Protection Board (EDPB) to review. Then the EDPB will issue a non-binding opinion, and the EC will request approval of a committee of representatives from member states.
If approved, the new Framework will incorporate principles from the Privacy Shield and continue the practice of self-certification.
There is a fundamental difference between the U.S. and European governments’ ability to access personal data. In the United States, the focus is on the government’s ability to conduct surveillance of foreign persons located outside the United States. In Europe, the Charter of Fundamental Rights of the European Union grants its citizens a right to privacy and data protection, particularly with respect to prohibiting foreign governments’ access to an individual’s personal data. This conflict is at the heart of the complaints brought by Schrems since 2011 and why it took almost two years to create a new Framework to transfer personal data.
From 2000 to 2015, Safe Harbor set the rules for personal data transfers. However, the CJEU invalidated Safe Harbor in Schrems I, finding that the laws of the United States do not offer satisfactory protection against surveillance of foreign citizens by U.S. governmental authorities such as intelligence (NSA) or security agencies (FBI).
After Safe Harbor was invalidated, the EC, Switzerland, and the U.S. Department of Commerce designed Privacy Shield to enable cross-border transfer of personal data, which was implemented by the EU on July 12, 2016. U.S.-based organizations voluntarily self-certified to the Department of Commerce, promising to comply with the Privacy Shield. The Privacy Shield established seven principles and 16 supplemental principles to govern personal data transfer, including the publishing of a Privacy Notice; opt-in and opt-out choices; access to one’s personal data; data integrity and purpose limitation; accountability for onward transfer; reasonable security measures; and recourse, enforcement, and liability.
To deal with national security issues brought to light by Schrems I, the Department of State established the Ombudsperson position to handle the processing of requests from EU and Swiss persons relating to national security access to their personal data transmitted to the United States.
On May 25, 2018, the General Data Protection Regulation (GDPR) came into force. Additionally, organizations used Standard Contractual Clauses (SCCs: contracts pre-approved by the European Commission) as a legal basis for the transfer of personal data from the EU to the United States. For a while, there was certainty in how to transfer personal data from the EU to the United States. Then, on July 16, 2020, in Schrems II, the CJEU invalidated Privacy Shield as contrary to the GDPR. The national security issue was again front and center in this case.
The use of SCCs for transfers between the EU and the United States was not invalidated, but the CJEU emphasized that data controllers or data processors using SCCs must “verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”
Where do we stand today? On June 4, 2021, the European Commission issued new SCCs required to be used as of Dec. 27, 2022. Transfer Impact Assessments are also utilized to evaluate the legal process of the country to which the personal data is being exported.
Before a transfer of personal data may occur, U.S. organizations must answer questions, some of which are designed to assess the risk of U.S. intelligence agencies acquiring the personal data. Regardless of the purpose of the transfer or the type of personal data transferred, some factors are universal: The U.S.-based organization (typically, the processor) has a higher likelihood of being approved by the EU or Swiss exporter if the technical, organizational, and security measures implemented to protect the personal data include the following:
Given that the crux of the issues in both Schrems’ decisions is whether the laws of the United States offer satisfactory protection against surveillance of foreign citizens by governmental authorities such as intelligence (NSA) or security agencies (FBI), the other crucial questions asked are:
In many cases, the likely response is that the probability of U.S. authorities accessing the personal data of Europeans or Swiss data subjects under §702 of FISA is so low as to be negligible.
The NOYB, Schrems’ non-governmental organization, has filed complaints against 101 European companies for violating GDPR Chapter V in transferring Europeans’ personal data to the United States, specifically to Google and Facebook. The first decision was issued by the Austrian DPA on Jan. 13, 2022, against an Austrian publishing company’s website (Netdokter), but not against Google directly—it and Google had used SCCs from 2010. The Austrian DPA said Google Analytics does not comply with the GDPR (holding that Google is subject to §702 of FISA); anonymization features weren’t used; U.S. intelligence agencies could identify data subjects; and encryption was not sufficient if U.S. intelligence agencies could require Google to provide the decryption key. Decisions in the 100 other cases are yet to be issued, although an unpublished French decision and statements by the Danish and Norwegian DPAs indicate that the Austrian decision may be followed. Google has taken some actions, including publishing Facts about Google Analytics Data Privacy and Take Control of How Data Is Used in Google Analytics.
As a best practice—at least until the Framework is approved—organizations should self-certify under the Privacy Shield since the Schrems II decision did not release organizations who previously self-certified from continuing to follow Privacy Shield. In the meantime, organizations must respond to TIAs and use the new GCCs.
Since it may take months for the Europeans to approve the Framework, for the moment, European companies may also consider establishing a consent model. To fully comply, the consent to processing of the data subject’s personal data by the U.S. entity might need to be quite specific, not the general “I consent to everything” model commonly used by U.S. organizations. Alternatively, a European-based organization may consider using analytics tools that don’t require transfer of personal data to U.S. organizations and hosting personal data in Europe, if possible, until the Framework is approved. However, as Schrems and NOYB have said that they will challenge the Framework, with the goal of another CJEU evaluation, it remains to be seen whether the Framework will be the final chapter in the data transfer story.
Amy B. Goldsmith is a partner and chair of the privacy and cybersecurity group at Tarter Krinsky & Drogin.
Reprinted with permission from the May 9, 2022 edition of the New York Law Journal Cybersecurity Special Section© 2022 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or firstname.lastname@example.org.
|Goldsmith, Amy B. Partner and Chair of Privacy and Cybersecurity Group||Partner and Chair of Privacy and Cybersecurity Group||212.216.1135|