US EU Privacy Shield has been invalidated, here’s everything you need to know and what to do.
Recap: In a judgment (Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18) handed down on 16 July, 2020, the Court of Justice of the Europe Union (CJEU) declared the EU-US Privacy Shield as incompatible with GDPR and, therefore, no longer valid.
The reasoning behind this decision is that the current level of protection given to personal data under US law cannot be considered to be equivalent to that provided by the GDPR. This is largely due to US surveillance programs and the lack of an adequate remedy for EU users.
The annulment of the Privacy Shield took immediate effect, meaning that the Privacy Shield is no longer a valid basis for transferring EU data to the US.
Check any data transfer you make to the US (e.g. you use a vendor or tool that’s run by a US company) to see whether or not the data transfer is based on the Privacy Shield or Standard Contractual Clauses (SCCs). This means that you may need to consider your entire process and make a list of any third-party integrations, services or processors that are US-based or that store data on US servers.
For your convenience, we’ve also put together a list of all the services present in our generator that were self-certified under the Privacy Shield. More here.
Data transfers to the US-based on the current EU Standard Contractual Clauses (SCCs) are vulnerable to (legal) challenge. This is due to the fact that they create binding obligations only on the contracting parties, and not on the US Government. Therefore, current SCCs will not be capable of remedying the incompatibility of the EU and the US legal systems.
As a result, if a service provider chooses to rely on SCCs, the following additional steps are needed:
Where your data transfer was based on the EU-US Privacy Shield, you should immediately look for an alternative mechanism under GDPR to justify data transfers. Current options include:
If substituting SCCs for the Privacy Shield, you must take into account that data transfers to the US based on the current SCCs are vulnerable to challenge. This is due to the fact that they create binding obligations only on the contracting parties, and not on the US Government. Therefore, if using SCCs in lieu of the Privacy Shield, additional steps are needed. Read more SCCs’ additional requirements in the section above.
Regarding explicit consent and other exceptions under Article 49 GDPR, please see the EDPB’s FAQ document and note the following.
In particular, regarding over-seas data transfer based on consent, please note that the consent must be:
An easy way to circumvent the issue of data transfer to the US is to simply keep EU user-data within the EU area. If choosing this approach, you may need to explore alternative services that solely operate or at least have an available datacenter based in the EU for the processing of EU-based data.
Whichever option you choose, do keep keep monitoring the situation. The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the Court judgment (see the official statement here).
For your convenience, we’ve put together this list of all the services present in our generator that were self-certified under the Privacy Shield.
The list might be useful for you to check how the related service providers reacted to the annulment of Privacy Shield and what alternative mechanisms, if any, they decided to implement. If you use a custom service not present in our list and you want to know if that service was Privacy Shield self-certified, you can check it at this link.
Facebook has announced that, in the light of the Court ruling, it is working to migrate to SCCs for data transfers related to its ads and measurement products, as well as for its Workplace customers.
Similarly, Google has informed its European users that it’s moving to reliance on Standard Contractual Clauses for transfers of online advertising and measurement personal data. They are consequently updating their “Compliance” page, “Google Measurement Controller-Controller Data Protection Terms” and “Google Ads Controller-Controller Data Protection Terms”.
Amazon (AWS) has updated its EU-US Privacy Shield FAQ page, reassuring its customers that rigorous technical and organizational measures are in place to protect users’ privacy and that its customers can “continue to rely on the SCCs included in the AWS GDPR Data Processing Addendum if they choose to transfer their data outside the European Union in compliance with GDPR. The AWS GDPR Data Processing Addendum with Standard Contractual Clauses is part of the AWS Service Terms and is available automatically for all customers transferring personal data from the EU to any of the AWS regions around the world, including in the US.”
Microsoft, via its EU Policy Blog, assured its customers about that fact that they are already protected under SCCs on the very day that the judgment was issued. Microsoft has also added additional language to its Privacy Statement to clarify that Microsoft does not rely on the EU-U.S. Privacy Shield as a legal basis for transfers of personal data in light of the judgement of the Court.
The European Data Protection Board (EDPB) published an FAQ document on the Court judgment. The EDPB has also recently announced the creation of a task force for complaints following the Court judgment and a task force devoted to the supplementary measures that data exporters and importers can be required to take to ensure adequate protection when transferring data to the US.
The US Department of Commerce has published a White Paper on what it considers to be additional safeguards to SCCs. It argues that the supervision by the US Foreign Intelligence Surveillance Court of the implementation of section 702 of the Foreign Intelligence Surveillance Act (FISA) does compare favorably with EU Law.
The CNIL (French DPA) has made a French translation of the EDPB FAQ document.
The DPA of Baden-Württemberg (one of the German federated states) has issued guidelines to address the practical challenges of the Privacy Shield decision.
The Swiss authority immediately made clear that the Court ruling is not directly applicable to Switzerland. However, after having examined the change in landscape, the Swiss authority now concludes that the CH-US Privacy Shield does not provide adequate levels of data protection.
The ICO (UK DPA) has created a call helpline for questions regarding the Court decision.
It’s worth noting that this judgment carries implications for Brexit since it is likely to have an impact on both the existing and the new adequacy decision.
The Irish DPA has issued a preliminary order against Facebook Inc. to suspend its data transfers from the EU to the US. Facebook has already appealed the order on the basis that EDPB guidelines on this have not yet been issued.
The Max Schrem’s association, the European Centre for Digital Rights (NOYB) has filed 101 complaints against companies across the EU for continued use of Google Analytics and Facebook Connect integrations to transfer data of EU citizens to the US without a valid legal mechanism for such transfers. Here is their official announcement.