Schrems II: Invalidating the EU-US Privacy Shield Framework
Legal disclaimer: I am not a lawyer and the content in this article does not constitute legal advice. Consult your legal department to determine the steps your organization should take in response to the Schrems II ruling.
The EU-US Privacy Shield Framework was designed to provide protection requirements for personal data in transit from the European Union (EU) and Switzerland to the United States (US). Companies in the US who had this certification were considered “adequate” for protecting the rights and freedoms of EU citizens. In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Framework. This blog post will unpack the history that led up to this decision, the details of the CJEU’s ruling, and next steps for companies and privacy professionals.
The Past: Schrems I
Max Schrems is an Austrian privacy activist known for campaigning with the Irish Data Protection Commissioner (DPC) against Facebook for privacy violations against EU data subjects. Edward Snowden’s leakage of highly classified information from the National Security Agency (NSA)—often referred to as the “Snowden Revelations”—threw light on a mass surveillance program, codenamed PRISM, of which Facebook, Google, Apple, and other companies were a part.
Facebook’s involvement in PRISM meant EU personal data was being transferred to the NSA, which, Schrems argued, violated his fundamental right to privacy, data protection, and the right to a fair trial under the Charter of Fundamental Rights of the EU. Schrems fought to prohibit Facebook from transferring EU personal data from Ireland to the US, calling into question the adequate protection provided by the US-EU Safe Harbor Framework, the Privacy Shield Framework’s predecessor. In October 2015, the CJEU invalidated the Safe Harbor Framework for several reasons, including:
- Government interference of the protections is permissible
- It does not provide legal compliance with right to access, erasure, or rectification
- It prevents national supervisory authorities from exercising their powers
Fast forward to July 2016, when a new framework, the EU-US Privacy Shield, was developed to supposedly address the Safe Harbor Framework’s privacy issues in the following ways:
- The right for data subjects to access their data
- Liability acknowledgement in relation to data transfers
- The right for data subjects to acquire confirmation of whether an organization has data about them
- Contractual specifications that data can only be processed for purposes consented to by the data subject
- Data minimization, or the authorization to only retain information provided that it serves a processing purpose
These and other differences between the two frameworks can be found in A Side-By-Side Comparison of “Privacy Shield” and the “Safe Harbor.”
However, Schrems later argued the additional protections proposed in the Privacy Shield still failed to address mass government surveillance programs and the inability for EU data subjects to exercise their rights. Similar complaints have been brought to the Irish DPC against Facebook Ireland in response to the new framework.
The Present: Schrems II
Schrems successfully recycled his arguments that the Privacy Shield is subject to the same criticisms as the Safe Harbor Framework. There are two issues at play, according to Schrems:
- Government surveillance. The Privacy Shield does not address this, so the concern that mass surveillance programs in the US violate the rights and freedoms of EU data subjects remains.
- The commercial sector. Little protection is offered around data collected by social media platforms and other technology companies. For example, in this article, the Electronic Frontier Foundation explains how Google shares, monetizes, and exploits data it collects about people. The Privacy Shield fails to account for this internal handling of personal data, as well as obtaining informed consent from data subjects.
Articles 47 and 52 are of interest in the Charter of Fundamental Rights of the European Union. Schrems’ objections were echoed in 2019 and 2020 to the CJEU, which ruled in July 2020:
“… that the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States.” – epic.org press release
This does not mean that data transfers between the EU and US are illegal. Other protective measures can be used, including those listed below.
- Standard contractual clauses (SCCs), according to Lexology, are:
“sets of contractual terms and conditions which the sender and receiver of personal data both sign up to, aimed at protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with the GDPR’s requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects.”
There is a higher obligation to scrutinize these clauses more closely, and supplementary guarantees might need to be provided. The CJEU pointed to two provisions that should be noted:
- Binding corporate rules (BCRs) are, according to i-SCOOP, “internal rules which define the international policy in a multinational group of companies and international organizations regarding intra-organizational personal data cross-border transfers.”
- Consent from the data subject could be a viable option when data is being transferred from the EU to the US.
Your organization’s legal department can help you decide which protective measures are best suited for your circumstances, but the consensus so far seems to indicate that SCCs “plus”—SCCs plus the “supplemental guarantees” mentioned above—might be the way to go. The adequacy package of SCCs and supplemental guarantees is variable.
The Future: Next Steps
Electronic telecommunications, healthcare, and financial companies will likely be impacted the most by the CJEU’s ruling, but all companies who engage in cross-border data transfers should consult with their legal departments to determine their next steps. Below is a list of action items to consider:
- Actively monitor the situation. There might be differences in how your data protection authority (DPA) views this ruling in comparison to other DPAs. New SCCs, the United Kingdom and Brexit, and overall dynamism of the circumstances require that companies stay up to date on key decisions.
- Engage the experts. Coordinate with technical and legal experts and third parties to develop an action plan based on your organization’s risk profile. Ensure that you have the support of leadership.
- Conduct a data transfer analysis. Document the data your organization processes, where it is being hosted, the access controls surrounding it, and the applicable GDPR transfer mechanism.
- Assess essential equivalence. Determine what supplementary measures, if any, need to be put into place in addition to SCCs. This could be a Schrems-type privacy impact assessment (SPIA) that identifies data types, the circumstances that surround data transfers, the type of company, and risks of government surveillance.
- Publish a technical security document. A security white paper detailing the security architecture of your products, including what data they collect, how they secure it, and where it is hosted; insight into overall organizational security such as perimeter controls and network controls; and compliance details could reassure your customers that you take data privacy and protection seriously.
- Take organizational measures to reduce risk. This action can take the form of a disclosure policy that outlines how and when your organization discloses data to third parties.
Legal experts can help you craft SCCs and supplementary guarantees, carve out a customer-friendly security white paper, and polish a disclosure policy. Having these documents ready to go can indicate that you take data subjects’ rights seriously and increase sales velocity. If your organization is Privacy Shield–certified and your contracts with third parties leverage this certification, you will almost certainly be required to update these contracts so that they leverage a legitimate transfer mechanism. For some, this will mean updating hundreds, or possibly even thousands, of documents.
Schrems has thrown the gauntlet down to the EU and US, challenging their frameworks on data protection compliance. With the Safe Harbor and Privacy Shield frameworks struck down, legal experts and privacy professionals will now be forced to reevaluate how they handle cross-border data transfers and possibly how data is handled within the US. We already see data protection legislation sweeping through the US, state by state, so a federal mandate that is in alignment with GDPR could be on the horizon. We could also see Privacy Shield 2.0—an updated version of the framework that resolves the issues raised by Schrems. However, the jury is still out on what a newer version of the framework might look like.
Paul (@paulmargiotis) is the Security Engineer at SentryOne, where he writes and implements security policy, directs compliance with data privacy and protection regulations, and strengthens the organization's network and perimeter defense. In his articles, he shares insight into hardening systems and infrastructure, risk management, cryptography, and building robust processes and protocols to enhance security governance. Paul holds a master's degree in Cybersecurity, with a concentration in Network Security, from the University of North Carolina at Charlotte.