First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
What is data sharing?
The EU has become known internationally as an organization that takes data privacy very seriously. The EU’s stand-out data privacy law, the General Data Protection Regulation (GDPR), has set the bar the world over for the protection of privacy rights of the individual. This bar must also be met by any organization that does business with the EU.
To help cross the chasm, the EU and the US created frameworks to facilitate a data sharing agreement. The first version was named Safe Harbor, which was then replaced by a new agreement named Privacy Shield.
In July 2020, Privacy Shield was rendered invalid by the European Court of Justice (ECJ). There is currently no accepted framework for EU-US data sharing. So, what does this mean for US businesses who want to trade with the EU?
First, there was Safe Harbor
To set the scene for the current lack of EU-US data sharing agreement, it is useful to look back at how this position came about. Before GDPR, the EU Data Protection Directive 95/46/EC (Directive) set the framework for the data privacy requirements of each member state. The directive stated that the transfer of personal data outside the EU must be done with a guaranteed “adequate” level of protection. The EU did not (and still does not) believe the US offers an adequate level of protection.
To facilitate data sharing between the EU and the US, the EU Commission created several ways of achieving the required data security:
- Use of pre-approved model standard contractual clauses (SCC) with the data recipient
- Use of “Binding Corporate Rules” (BCR) to share data
- Use the EU-US Safe Harbor Framework
The Safe Harbor agreement was a fairly straightforward way to keep data flowing between the US and EU as it involved companies self-certifying. Then in 2015, the ECJ invalidated Safe Harbor thanks to the revelations of lawyer Max Schrems, who countered that the US government did not do enough to protect personal data from NSA surveillance activities. The 2015 decision was based on the “Data Protection Commission v. Facebook Ireland, Schrems” case (Schrems I).
Then there was The Privacy Shield
The loss of the Safe Harbor agreement back in 2015 left US businesses with a gaping hole where data sharing agreements should be. The “adequacy” required to transfer data lawfully had to be sorted out and this came in the form of “The Privacy Shield.” This new data-sharing agreement was formally accepted by the EU on July 12, 2016.
The Privacy Shield presented a more comprehensive set of requirements that a business had to meet to allow safe data sharing between the EU and the US Again, US businesses had to self-certify to the US Department of Commerce showing that they followed the Privacy Shield principles.
Privacy Shield was more comprehensive than its predecessor, the Safe Harbor. A full checklist of the differences between the two was outlined in an IAPP side-by-side analysis of the two frameworks. But in general, the Privacy Shield had more stringent and global requirements for privacy policies, onward transfer of data, security of data and more comprehensive data subject rights.
However, whether more comprehensive or not, in July 2020 The Privacy Shield data-sharing agreement was invalidated by the ECJ. So, US businesses are back to where they were in 2015. Again, the invalidation was based on US surveillance laws and termed “Schrems II” in reference to “Data Protection Commission v. Facebook Ireland, Schrems.”
Max Schrems’ website, None of Your Business (NYOB), said of the decision that it reflected the “far-reaching US surveillance laws are in conflict with EU fundamental rights.”
Onwards and upwards for an EU-US data sharing agreement?
The invalidation on July 16th, 2020 of The Privacy Shield took immediate effect. As such, companies are in danger of massive fines. However, the decision did come with caveats on certain data transactions that could be continued under user consent as per Article 49 of the GDPR. As Schrems points out:
"The Court explicitly highlighted that the invalidation of the Privacy Shield will not create a 'legal vacuum' as crucially necessary data flows can be still undertaken. The US is now simply put back to an average country with no special access to EU data."
In August, a joint statement between the EU and the US Secretary of Commerce was made. The notice says that the two are in discussions around an “enhanced EU-US Privacy Shield framework.”
The hope is that the US will begin a process that moves the country to a more GDPR-like federal privacy law. This would provide the “adequacy” needed for smooth data flows between the US and EU.
What can companies outside the EU do to create a data-sharing agreement?
The European Data Protection Board responded to the invalidation of The Privacy Shield that offers some guidance for EU (and US) companies:
- Standard Contractual Clauses (SCC): The ECJ has allowed SCCs to continue to be used. However, a company should check the level of protection afforded by their SCC — this protection must go beyond an agreement between companies. The SCC must do enough to protect against access by public authorities of a third country; in other words, the SCC must take local laws of the recipient country into account.
- Binding Corporate Rules (BCR): The EU decision was based on US law and personal privacy. As such, this must be considered when using a BCR. However, these tools can be used along with supplementary measures but must be looked at and agreed upon on a case-by-case basis.
Before taking on the task of creating an SCC or even a BCR, an organization must understand their data sharing requirements. In other words, build a rounded view of its own data landscape and country laws. Local law adequacy is still a key aspect of granting data sharing agreements. Whilst there is the provision to utilize GDPR derogations such as those in Article 46 and 49, the court points out that:
“… it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice.”
Conclusion: A data-sharing agreement checklist
While initially a data exporter may take the burden of the removal of The Privacy Shield, data importers are likely to also need to demonstrate lawful data sharing. Organizations must understand their responsibilities and the scope of the sharing needed to achieve a lawful transfer. A data sharing checklist is a good place to start this analysis of data sharing.
Typical items included in a checklist are:
- What data is shared?
- Why is the data shared?
- Can the sharing be justified?
- Have you accessed the harms that could occur by sharing? (This includes country laws that may make data requests).
- Is this the minimum data set needed or not?
- Are there any legal obligations to share these data?
- How will you gather consent to share?
- How will you manage these data?
Going forward, the invalidation of The Privacy Shield will impact businesses that are required to share data within EU jurisdiction. This includes the UK post-Brexit. In the US, there are over 5,100 companies who use The Privacy Shield to do business with the EU. Those companies and any entrants to EU-US data sharing agreements will have to address the invalidation of the framework.
Mechanisms such as data minimization can help in creating sustainable data sharing agreements. However, this all comes back to the fundamental differences and attitudes to privacy between the US and the EU.
Sources
Max Schrems v. Data Protection Commissioner (CJEU - "Safe Harbor"), epic.org
A Side-By-Side Comparison of “Privacy Shield” and the “Safe Harbor”, IAPP
CJEU Judgment - First Statement, NOYB
Art. 49 GDPR: Derogations for specific situations, Intersoft Consulting
Active list, Privacy Shield Framework