Privacy Shield has been under fire ever since it was negotiated by the European Commission and U.S. Department of Commerce as a replacement for the faulty Safe Harbor agreement. But now, the EU-U.S. data-sharing arrangement faces its biggest obstacle yet, as the Court of Justice of the European Union is looking at two cases challenging its legality in the coming weeks.
It will come as no surprise to privacy professionals that the man behind one of those cases is Max Schrems, the Austrian whose case brought down Safe Harbor in 2015.
The new case is fundamentally the same and should worry companies relying on Privacy Shield or standard contractual clauses to use Europeansâ€™ data. As with the Safe Harbor case, the contention is that U.S. surveillance agencies have too much unfettered access to Europeansâ€™ data.
The original complaint was made more than five years ago and is based on Edward Snowdenâ€™s disclosures that Facebook allows U.S. agencies access to personal data under schemes such as â€œPRISM.â€� The European Court of Justice took these revelations at face value when ruling Safe Harbor illegal.
Following hearings before the Irish High Court in 2017, Irish judges found that the U.S. authorities did indeed engage in mass processing of Europeansâ€™ data and referred 11 questions relating to whether standard contractual clauses provide an adequate level of protection.
Facebook sought to have the referral to the CJEU blocked by the Irish Supreme Court, on the grounds that the questions to the CJEU contained factual errors. The Supreme Court does not usually hear appeals against the High Court, but decided to consider it in this case.
However Irelandâ€™s Chief Justice, Frank Clarke, dismissed the social networkâ€™s efforts and the CJEU hearing is scheduled for July 9.
â€œFacebook likely again invested millions to stop this case from progressing. It is good to see that the Supreme Court has not followed Facebook’s arguments that were in total denial of all existing findings so far,â€� said Schrems, adding that he was looking forward to the Luxembourg hearing.
The Privacy Shield mechanism itself is also to be considered by the EUâ€™s top judges, following a claim by three French digital rights groups â€” La Quadrature du Net, French Data Network and FÃ©dÃ©ration FDN â€” that it fails to uphold fundamental EU rights.
The hearing in that case was slated for July 1 and 2, but the court has postponed it until after the Schrems hearing. A special notice from the court stated, â€œThe proceedings in Case T-738/16 Quadrature du Net v. Commission have been suspended pending the resolution of case C-311/18 Facebook Ireland & Schrems (hearing due on 9th July). The hearings due in this case (T-738/16) on 1st and 2ndÂ July will therefore not be held.â€�
The two cases are slightly different. The digital rights groups’ case is before the general court on annulment rather than the CJEU proper. Despite being different courts with different procedures, the judges took the view that it would be wise to hear one before the other.
Once the CJEU has provided its decision in the Schrems case, expected by early 2020, the Irish Data Protection Commission will make a final determination regarding the original complaint. Of course, this decision could be appealed by either Facebook or Schrems.
With the uncertainty around the validity of Privacy Shield and SCCs continuing, DPOs will be looking for other avenues to ensure continued data flows between the EU and the U.S.
â€œI think we are going to see some real panic as the prospect of invalidation nears later this year,â€� Eduardo Ustartan, partner at Hogan Lovells in the U.K., told The Privacy Advisor.
â€œThe Privacy Shield has always been surrounded by a degree of uncertainty, but the SCCs have been around for nearly 20 years, so they are the bedrock of lawful data transfers,” he added. “The idea that the most widely used mechanism to support something so essential to the digital economy may crumble is almost unthinkable, but we can be sure that the CJEU will not be distracted from its mission to determine whether the SCCs are effective at extending European data protection globally. This is also something that will especially worry U.K. and EU companies preparing for a potential ‘no-deal Brexit,’ as the SCCs are regarded as the most obvious fix to the loss of data protection adequacy by the U.K.”
At this stage, the most sensible approach is to keep a close eye on these cases while considering the menu of suitable alternatives, Ustaran advised. For intragroup data transfers within multinationals, binding corporate rules may prove a useable alternative but take time to be approved. However, more than 70% of registrants to Privacy Shield are small- to medium-sized enterprises who could find other models too onerous or expensive.
On June 13, European Commissioner for Justice, Consumers and Gender Equality VÄ›ra JourovÃ¡ told businesses that she wanted to make it easier for them to comply with data transfers under the EU General Data Protection Regulation and would update SCCs â€” the most recent version still refers to the old EU Data Protection Directive rather than the GDPR. However, it is not confirmed when such an update will take place. And any updated clauses could still be subject to a legal challenge on the basis of the Schrems ruling.
JourovÃ¡ also said other tools of the GDPR, such as certification or code of conducts, could potentially create safe havens.
â€œCertifications would help companies to gain necessary certainty that the processing operations they do are GDPR compliant. It will also further promote the GDPR globally. I’d be interested to know if we should step up our work here, because to me it seems this could help,â€� she said.
According to European Commission spokespeople, the commission is currently analyzing the possible need to modernize the existing SCCs for data transfers.
â€œIn this context, we have asked stakeholders (for instance, those represented in the Multi-Stakeholder Expert Group) to tell us about their interests/needs in this area. This being said, the possibility to develop SCCs exists both for data transfers (Article 46 GDPR) and more generally for the controller-processor relationship (Article 28 GDPR), and the European Data Protection Board has been asked to prepare an opinion on a set of draft Article 28-SCCs by one of the national data protection authorities. The assessment of these draft SCCs is ongoing,â€� explained the official.
Meanwhile, in the U.S., the Senate confirmed Keith Krach as the permanent Privacy Shield ombudsperson â€” after years of nagging from the European Commission. The lack of a permanent Ombudsperson was one of the chief complaints listed by the Commission following its second annual review in December 2018.
Castlebridge Managing Director Daragh O Brien, CIPM, said, â€œThis is deck chair rearranging. What it means is that the U.S. government is now â€” at long last â€” starting to put the structures promised in the letters of understanding regarding Privacy Shield into place, but the fundamental legal issues at the heart of things have not been addressed.â€�
However, the Commission did see some cause for optimism saying: â€œImprovements made include the strengthening by the Department of Commerce of the certification process and of its proactive oversight over the framework. The department has set up several mechanisms, such as a system of checks (“spot checks”), which randomly selects companies to verify that they comply with the Privacy Shield principles. Additional compliance review procedures also include the analysis of Privacy Shield participants’ websites to ensure that links to privacy policies are correct. The Department of Commerce put in place a system to identify false claims which prevents companies from claiming their compliance with the Privacy Shield, when they have not been certified.â€�
Evidence of that improved approach could be seen earlier this month when the Federal Trade Commission (FTC) announced that it had reached a settlement with background screening provider SecurTest for falsely claiming compliance with Privacy Shield, as well as sending 13 warning letters to others companies over inaccurate claims about compliance with the defunct Safe Harbor.