On July 16, 2020, the Court of Justice of the European Union made a decision on the Schrems II case. The decision could potentially have major consequences for all companies. This blog post will give you an insight into how it could be relevant for your organisation.
The Schrems II case deals with the possibility of transferring personal information to US companies. So far, this has been possible with the help of the so-called Privacy Shield agreement, which in short is a system of standard contracts in which the US companies guaranteed that they could comply with European GDPR rules (There are currently over 5000 US companies in the scheme).
Having Privacy Shield in place meant that European companies could make use of US services and transfer personal information to them without having to take the long route of risk assessing whether the partner (data processor) is able to live up to its obligations. Privacy Shield had undeniably made it much easier to enter into data processor agreements with US companies.
However, privacy activist Maximillian Schrems has been dissatisfied with the Privacy Shield scheme, as he believes that US companies cannot guarantee compliance with the GDPR, as the US has national laws that overrule and violate the principles of the GDPR. Among other things, it involves laws that enable the US state to gain insight into the personal data if they, for example, suspect terrorism.
Schrems specifically chose to make a complaint against Facebook, which moves data from their Irish department to the US via the Privacy Shield agreement (Facebook in Ireland and Facebook in the US are two separate companies). This means that European users’ personal data may end up in the United States. Max Schrems is dissatisfied with this, as he does not believe that Facebook can guarantee compliance with the GDPR in the handling of personal data in the USA. It is this appeal that the Court of Justice of the European Union has ruled on. The European Court of Justice has ruled in favour of Schrems, which renders the Privacy Shield agreement invalid overnight. This affects not only Facebook but all companies that are part of the scheme. The Privacy Shield is no longer a valid basis for transferring personal information to the United States.
You can read the ruling made by the Court of Justice of the European Union here: EU Court of Justice.
This is not the first time that an agreement like Privacy Shield has been rejected. The Privacy Shield agreement was a direct result of the invalidation of a previous agreement back in 2015, the so-called “Safe Harbour Agreement”. At that time, it was also Max Schrems who complained about the agreement and secured a favourable ruling. Privacy Shield was supposed to have been the solution to the problems that were present with Safe Harbour, but that had clearly not been the case. We are now in a situation where personal information cannot be transferred to the United States via either Safe Harbour nor Privacy Shield, and there is no obvious new solution.
If your organisation has US data processors or partners who use US data processors, it affects you. And who is not in some way entangled in services provided by e.g. Microsoft, Google, Amazon, etc? It is difficult for everybody to get around the big American tech giants. Most organisations are so integrated with American services that it would be very expensive to stop collaborating.
We do not yet know how the decision will specifically affect organisations. The fact remains, however, that it is no longer legal to export data to the United States on the basis of the Privacy Shield Agreement. However, not all organisations can stop using US corporate services from today. We have therefore ended up in limbo, where we are waiting to see what happens next. The question is whether it will be up to the individual companies to find a solution, or whether the solution must be made at a political level.
If the solution is to be found in the companies and organisations, it means that companies from the USA must live up to the same requirements as other third-party countries. This means that as a data controller, you must be able to guarantee that your data processor can live up to the rules in The GDPR. It places a large amount of work on the shoulders of the individual organisation that makes use of American data processors, as you have to do the risk assessment yourself from scratch and supervise these companies. But how can you expect to reach a conclusion in your risk assessment that differs from that reached by the Court of Justice of the European Union: the obvious fact that companies cannot guarantee that they can comply with the requirements? And what do you do if you can no longer make use of e.g. Office365 or AWS? Is there an alternative at all? There are many difficult questions and the new ruling instantly makes it difficult to see how it will be possible to make use of US companies as data processors.
If the solution is a political one, it is also difficult to predict how it will fare. Should there be tight firewalls between the EU and the US? Should sanctions be imposed on American companies or should the solution be found somewhere else? It seems unlikely that the EU will relax GDPR legislation to address inadequate US legislation. It also seems unlikely that the US will drop its surveillance laws, which will allow the state to gain insight into American companies’ data.
It is difficult to envision what the consequences would be if there was no amicable solution to the problem. It would render it practically illegal to transfer personal data to the United States, and the scenario of a lack of a workable solution is a bleak one.
It may be relevant for you to examine whether your lawyers have any recommendations for how you should act now.
As it stands, the ruling provides more questions than it answers. The only thing that is certain is that the ruling has dropped a bomb in the digital cooperation between the EU and the US. There is perhaps nothing to do but take a deep breath and wait for the recommendations from the European Data Protection Board, which is analysing the consequences of the decision. However, it is a good idea to prepare for what the potential consequences for your organisation will be if you have to find new IT service suppliers or have to treat these suppliers like other third-party countries.
This may, for example, involve assuming a wait-and-see attitude when it comes to purchasing new services and pausing projects that will connect the organisation more closely to American data processors.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.