What Schrems 2 Means for your Privacy Shield Program
By Francoise Gilbert, CEO, DataMinding, Inc.
The publication of the EU Court of Justice decision in the Schrems 2 case has left many organizations, worldwide, facing a difficult dilemma. What to do next to ensure the continuity of personal data flows from the European Union or European Economic Area (“EU/EEA”) towards the United States? The consequences of the EU Court of Justice decision are complex, and numerous aspects must be taken into account.
The Schrems 2 decision focuses primarily on two elements, the EU-US Privacy Shield and the Standard Contractual Clauses Controller-to-Processors, but it also affects companies that rely on binding corporate rules, as the EDPB observed in the FAQs it recently published. At this point, for most organizations, reliance on Standard Contractual Clauses (with the modifications needed to address the EU CJ decision) appears to the most viable means of ensuring the legality of transfers of certain categories of personal data out of the EU/EEA.
However, members of the EU-US Privacy Shield program should also pay attention to the parts of the Schrems 2 decision that pertain to the Privacy Shield program. The invalidation of the European Commission decision concerning the adequacy of the protection provided by the EU-US Privacy Shield framework has very important consequences. It would be an error to simply remove all references to the organization’s participation in the Privacy Shield program from the company’s website, and just move on.
What the “Privacy Shield Invalidation” Means
“Privacy Shield Invalidation” is a deceptive shortcut. Actually, the Court of Justice of the European Union declared as “invalid” the 2016 decision of the European Commission on the adequacy of the protection provided by the EU-US Privacy Shield. The Privacy Shield framework still exists. However, the EU-US Privacy Shield Framework is no longer a valid mechanism to meet the requirements of the EU/EEA laws when transferring personal data from the European Union or European Economic Area to the United States. The principles of the Privacy Shield, and the promises made to the US Department of Commerce – International Trade Administration (ITA) by those who registered to the EU-US Privacy Shield program remain.
Further the “invalidation” is limited, and it not global or universal. It applies only to transatlantic data flows between EU/EEA member states and the United States. It does not affect other aspects of the Privacy Shield program. Nor does it automatically relieve US businesses that have self-certified under the EU-US Privacy Shield program from the obligations they otherwise have under US laws.
If your organization has self-certified with the EU-US Privacy Shield program, and/or the Swiss-US Privacy Shield program, it is listed on the Privacy Shield List, and it is directly affected by the parts of the Schrems 2 decision that pertain to the EU-US Privacy Shield. The organization should evaluate the extent to which it – or its service providers - relied on EU-US Privacy Shield self-certification to provide foreign customers and other contracting parties with assurances concerning the “adequacy” of the protection of personal data if offers. It should evaluate every aspect of the program, their benefits and deficiencies, before making any decision concerning continued adherence to, or withdrawal from, the program.
In this article, we will identify some of the issues that organizations that do business internationally should keep in mind:
- Privacy Shield is not just an EU-US agreement. It is relevant to relations with other countries;
- The invalidation of the 2016 European Commission Decision to recognize the EU-US Privacy Shield as a means to demonstrate that adequate protection is provided to personal data of EU/EEA residents does not cancel other aspects of the Privacy Shield program;
- US law still applies to US businesses that have self-certified their practices under the EU-US Privacy Shield program. These obligations do not go away because of the EUCJ decision;
- Organizations that decide to withdraw from the Privacy Shield program must follow specific rules described below, or risk legal troubles.
The Many Facets of the Privacy Shield Program
The Court of Justice of the European Union declared as “invalid” the decision of the European Commission on the adequacy of the protection provided by the EU-U.S. Privacy Shield; it did not invalidate the Privacy Shield program itself. This means only that the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to meet the requirements of the EU/EEA laws regarding the “adequacy” of the protection of personal data in the context of transatlantic transfers of personal data.
The Privacy Shield program is much more complex than it may appear. It is not just an EU-US agreement. It is relevant to relations with other countries. The invalidation of the 2016 European Commission Decision to recognize the EU-US Privacy Shield as a means to demonstrate that adequate protection is provided to personal data of EU/EEA residents does not cancel other aspects of the Privacy Shield.
There are Two Privacy Shield Programs
First, there are two Privacy Shield programs. One has been signed with the European Union (and extends to the three countries member of the European Economic Area) and the other with Switzerland. Only the program that pertains to personal data of EU/EEA residents was the focus of the EU Court of Justice decision.
The EU-Swiss Privacy Shield program, which applies to personal data of Switzerland residents, is not affected by the EU Court of Justice decision. While Switzerland follows certain aspects of the EU/EEA legal framework, it is not bound by decisions of the EU Court of Justice. Further, Switzerland has not yet made public any opinion regarding the Schrems 2 decision. According to the website of the Swiss Data Commissioner, the ruling of the EU Court of Justice is “not directly applicable to Switzerland”, and the “Federal Data Protection and Information Commissioner will examine the judgement in detail and comment on it in due course”.
The Privacy Shield Program has Important Applications Worldwide
Second, while the EU-US Privacy Shield program is legally limited to personal data of EU/EEA residents, it has become a de-facto standard in other parts of the world when dealing with cross border data transfers to the United States - and before that, so did the Safe Harbor -.
More than 100 countries outside the European Economic Area have adopted privacy laws that, like the EU General Data Protection Regular (GDPR) also find their roots and basic principles in the 1980 OECD Privacy Principles (or their successor). These laws frequently include cross border data transfer restrictions that are similar to those found in Articles 45 to 50 of the GDPR (or, previously, Articles 25 and 26 of EU 1995 Data Protection Directive 95/46 (EC)).
A significant number of these countries outside the EU/EEA occasionally rely, directly or not, Privacy Shield self-certification, among other means, for evaluating the practices of a US organization in order to allow certain crossborder data transfers from their territory to the United States in the same manner as this was done between the EU/EEA and the United States. So far, it appears that no country outside the EU/EEA other than the United Kingdom, has publicly stated that it would follow the EUCJ Schrems 2 decision and cease recognizing Privacy Shield certification.
Privacy Shield is Still Subject to US Law
US law still applies to US businesses that have self-certified their practices under the EU-US Privacy Shield program, and these obligations are not erased by the EUCJ decision. This invalidation of the EU Commission decision does not relieve US businesses from the obligations they have under US laws with respect to their past or current participation in the Privacy Shield program. Nor does it affect other aspects of the Privacy Shield program.
The US Department of Commerce International Trade Administration (ITA), which is in charge of administering the Privacy Shield program, has recently published a FAQs in which it reminds companies that the decision of the EU Court of Justice does not relieve participants in the EU-U.S. Privacy Shield program of their obligations under the EU-U.S. Privacy Shield Framework and under US laws. It also points out that the Federal Trade Commission has reiterated that it will “continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework.”
If your Organization Wishes to Maintain its Privacy Shield Self-certification
If your organization is listed on the Privacy Shield List, it is directly impacted by the judgement of the EU Court of Justice regarding the Privacy Shield program in that it can no longer rely on its Privacy Shield self-certification in connection with data transfers from the EU/EEA. However, it may still want to take advantage of the other aspects of the program discussed above in its relations with Switzerland and other countries that have recognized the Privacy Shield program in the past.
The Department of Commerce, in its FAQ No 3, encourages continued participation in the EU-US Privacy Shield program, stating that “organizations continued participation in the EU-US Privacy Shield demonstrate a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse of EU Individuals.
To remain on the Privacy List, your organization will be required to re-certify annually. There are specific formalities for re-certification, as detailed on the website of the Privacy Shield program. In addition, to continue participation in the Privacy Shield, the organization is also required to pay the annual processing fee to the US Department of Commerce International Trade Administration (ITA).
In addition, there are other direct costs, such as the cost of providing an independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees. Alternatively, the Privacy Shield provides the option for an EU or Swiss individual, as appropriate, to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Privacy Shield Principles as to that individual and whether any such violation remains fully or partially unremedied.
The U.S. Department of Commerce International Trade Administration (ITA) has facilitated the establishment of a fund into which Privacy Shield organizations are required to make contributions to cover the arbitration costs as described in Annex I to the Privacy Shield Principles. The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected to administer these arbitrations and manage this fund.
Beyond the administrative costs associated with membership in the Privacy Shield program, organizations must remember that they are expected to comply with their ongoing obligations (defined in their Privacy Shield self-certification documents) to protect the personal data received through the program, and meet the privacy shield principles.
If your Organization Wishes to Withdraw from the Privacy Shield Program
The organization may also opt to withdraw from the Privacy Shield program, but in that case, it should keep in mind that US law still applies to US businesses that have self-certified their practices under the EU-US Privacy Shield program. Organizations that decide to withdraw from the Privacy Shield program must follow specific rules described below, or risk legal troubles.
While remaining within the Privacy Shield program is costly, withdrawal from the program may also open an organization to legal and financial risks. If it wishes to withdraw from the Privacy Shield program, your organization must follow the withdrawal procedure defined in the Privacy Shield documents. The U.S. Department of Commerce’s International Trade Administration (ITA) is in charge of processing submissions for withdrawal from the Privacy Shield and maintaining a record of organizations that have been removed from the Privacy Shield List.
Upon confirming your organization's withdrawal, the ITA will remove the organization from the Privacy Shield List and add it to the record of organizations that had previously self-certified, but have withdrawn, which is accessible from the Privacy Shield website.
Upon removal from the Privacy Shield List, the organization must continue to apply the Privacy Shield Principles to the personal data it received while it participated in the Privacy Shield, and affirm to the ITA, on an annual basis, its commitment to do so, for as long as it retains such data. Alternatively, the organization must return or delete the personal data or provide "adequate" protection by another authorized means.
If, at the time of its withdrawal, the organization elects to retain the personal data, it will have to:
- Complete and return to the ITA a withdrawal questionnaire to verify whether the organization will return, delete, or continue to apply the Privacy Shield Principles to the personal information that it received while participating in the Privacy Shield;
- If personal information will be retained, indicate in the withdrawal questionnaire, who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions;
- Over the years, complete an annual questionnaire that describes what was done and what it will do with respect to the retained personal data and affirm whether it continues to apply the Privacy Shield Principles to the personal data so retained; and identify the responsible person within the organization who will serve as an ongoing point of contact for Privacy Shield-related questions; and
- Pay an annual $200 fee.
Businesses that send or receive personal data of EU/EEA residents are struggling to ensure continuity in transatlantic data flows and privacy protections, and to limit the negative consequences of the decision of the EU Court of Justice on their global business. However, while there is naturally a focus on how to supplement Standard Contractual Clauses to address the new standards set forth in the EU Court of Justice decision, other aspects of the decision should not be neglected in that they may have drastic and costly consequences. The EU Court of Justice invalidation of the 2016 decision of the EU Commission on the adequacy of the protection provided by the EU-US Privacy Shield has more complex and broader consequences than it might appear at first sight. Before deciding to withdraw from the EU-US Privacy Shield program, US organizations should fully evaluate the consequences of such withdrawal to avoid tripping on the landmine of re-certification requirements and withdrawal obligations under the different aspects of the Privacy Shield programs.
About the Author
Françoise Gilbert advises clients on compliance with the growing number of privacy and information security laws that govern their operations, and how to integrate privacy and security in product design, marketing, corporate and commercial transactions and business strategies. One of the first lawyers to enter the field of privacy and security in the early 1990s, Francoise is widely considered a pioneer in the field. Among other activities, she is the editor and primary author of Global Privacy and Security Law, published by CCH Wolters Kluwer, a two-volume law treatise that analyses in-depth and explains the data, privacy, security, digital marketing and advertising laws of over 70 countries on all continents. The treatise also provides extensive background on the major drivers that are dictating or influencing the laws that govern the collection and use of personal data worldwide.