by Gabriel Avigdor

Suspension of the Privacy Shield until 01 September 2018 ?

According to this press release dated 12 June 2018, Members of the EU Parliament (MEP) have suggested to the EU Commission to suspend the Privacy Shield as it does not offer an adequate level of protection for the EU citizen. Therefore, the MEP ask the Commission to:

1. suspend the data exchange deal unless the US complies with it by 1 September 2018; and
2. keep suspension until the US authorities comply with its terms in full.

So here we come again: after the Safe Harbor’s invalidation on 6 October 2015, the Privacy Shield is put into question with a clear position from the EU Members of Parliament (MEP) to ask the Commission to suspend the agreement.

In fact, there were already doubts about how the Privacy Shield could actually meet the EU requirement to ensure an adequate level of protection for personal data transferred from the EU to the US, knowing the GDPR would come into force. In addition, the EU Model clauses, which is probably one of the most used tool for cross-border transfer is also put into question by Max Schrems in front of the European court.

(edit 06.07.2018) On 6 July 2018, the EU Parliament just voted, without any changes, a resolution to ask the EU Commission to suspend the Privacy Shield, unless the USA complies with the GDPR (in particular with some principles such as right to portability, privacy by default and by design, etc.), also fearing the consequences of the recent CLOUD ACT in the EU. This is never going to happen in a so short notice from political, economical, legal nor a business standpoint. Not only will the USA have to sit again with the EU to enter into an amendment to the framework, but also 3,000 companies that are part of the framework will have to ensure that they comply with the update to maintain their certification…Probably a nightmare for many companies during this Summer 2018.

So same story again? Well, yes same story, but with a different background and here is why.

________________________________

A little bit of context: what is it about

The Privacy Shield is an international convention clarifying rights and duties of US companies adhering to the Framework, which is supposed to ensure a valid transfer mechanism between US-EU (cross-border data transfer). This means that for any organization that adheres and declares to the FTC that they meet the requirements of the Privacy Shield, with a commitment to maintain the certification, these US companies are considered by the EU Commission as having an adequate level of protection. Therefore, when personal data are transferred from the EU to the US, the processing is valid without any further legal instrument (such as EU C2P/C2C model clauses, BCR, a contract or event consent) (by data ‘transfer’ I mean ‘processing‘ pursuant to the legal definition of art. 4 of the GDPR).

Useful, but dangerous. Why ?

________________________________

Consequences of such suspension

If a company takes the risk to rely only on the Privacy Shield, and not on, or in addition to, another appropriate safeguards (see article 46 of the GDPR), the suspension of this framework means that any cross-border transfer of personal data (= processing of personal data to a State outside the EEA) to the US becomes illegal.

This also means that it constitutes an infringement of the Regulation, with potential measures and sanction as referred to in articles 58, and 83 (5) (c) of the GDPR, and that you may be in breach of your contractual obligations, where you commit to transfer data as a data processor based on a valid mechanism, without backing you up with, let’s say, Model clauses. A data processing clause in a service contract often contains a clause to inform the controller about data breaches. But such contract may also impose the data processor to inform the controller if it becomes non-compliant, such as to ensure that the controller can take appropriate measures relating to the processing. So to avoid being in breach of both the Regulation and your contracts, you would better inform the business and ask your lawyer for some guidance.

Several facts may come into consideration to question the Privacy Shield and its validity. We’ve had other scandals, and obviously the GDPR has become enforceable. It strengthen the data subject’s rights to privacy and put more obligations on processors of personal data. There is also a possibility that the negotiators of the Privacy Shield have underestimated the switch between Directive 95/46/EC and the GDPR in order to satisfy the status quo and be compliant asap with Directive 95/46/EC. So Drafters of the Privacy Shield may have voluntarily, or not, avoided the gap between the two legislation to speed up the process, but also as a compromise. Also, it is worth noting that, at the time of the Privacy Shield becoming a valid instrument, Donald Trump was not elected yet. And it is an euphemism to say that the actual political direction taken by the USA, has changed from Obama’s administration.

________________________________

Recommendations

So what now ? Same story as with the Safe Harbor ? Essentially, yes.

If think you are already GDPR compliant, you should have a record of processing, with a mention of the transfer mechanism for your cross-border data transfer. So easy to find this information without going into all your contracts and check it out. If not, then do it now and you may want to apply some of my recommendations, if you want to follow the compliant path:

• first check the news. if the Privacy is not declared invalid by the EU Commission, just do nothing. If it becomes invalid, then:
• check out how many contracts you have that are ONLY relying on the Privacy Shield;
• perform an assessment based on the criticality (harmfulness and sensitivity of such personal data for data subjects) of the personal data you are handling, transferring. Prioritize and take a decision on what to do with this issue based of your risk assessment;
• ensure you put in place an appropriate safeguards (art. 46 GDPR). The very best security (but probably to time consuming) is to have two mechanisms in place, in case one of them becomes non-compliant (Privacy Shield or Model clauses);
• you should inform data subjects that, in case of suspension of the Privacy Shield, and if you only rely on it, that US authorities may access their personal data. You may remind them their rights as data subjects or refer them to your brand new and fresh privacy notice recently updated for GDPR compliance;
• you should inform your business partners about what you are going to do to address this issue in order to maintain a level a adequacy and avoid contractual liabilities, penalties or even termination. In practice, every one is in the same situation, but you should nevertheless be transparent and discuss this issue to find a rapid solution;
• On 27 October 2015, I mentioned the recommendations provided by the Swiss Data Protection Commissioner, for entities relying on the Safe Harbor after the Safe Harbor’s invalidation. These recommendations are still valid.
• On 10 February 2016, just a few months before the GDPR was signed and became law (24 May 2016), I provided some thoughts and recommendations in the context of the unpleasant adventures of data transfer mechanism between the two continents with the arrival of the new Privacy Shield Framework. This article remains also valid.

________________________________

So what next

The Privacy Shield was supposed to replace the Safe Harbor with a better protection of the EU citizens, but it remains a mechanism to allow data transfer with the US.

However, there is slight difference with the Safe Harbor’s invalidation, because we have the GDPR that has entered into force. Compared to Directive 95/46/EC or even national laws, the sanction mechanism is a bit stronger, and ultimately, the fines may be up to a maximum of €20M or 4% of annual turnover as a very last resort (article 83 (5) (c) GDPR), as infringing the provisions relating to data transfer are among the most severe. But everything is explained here on the sanction mechanism.

Last, it is also worth noting that the Standard Contractual Clauses (also called, ‘SCC’ or EU Model clauses) are also put into question by Max Schrems in front of the ECJ. This ruling may lead to an EU decision considering the model clauses are declared invalid for the same reasons as the Safe Harbor and Privacy Shield. The difference with data transfer based on the SCCs, is that such transfer is not limited to transfer to the US, but is a valid mechanism for a transfer to any country outside the EEA. Taking into account that this transfer mechanism is probably used by almost any company doing business with third countries (outside the EEA), the consequences may be dramatic as this article points out. So as a last advice, check what happens in the next couple of months with the SCC’s situation to prepare in case this mechanisms is also declared invalid.

Best of luck!

—

By Gabriel Avigdor | NTIC