by The Cat
On July 2020, on its "Schrems II" judgment, the Court of Justice of the European Union (CJEU) invalidated the European Union-United States Privacy Shield, an international agreement regarding the storage and processing of personal data from European Union (EU) residents by businesses in the United States. While many politicians and the media expressed their surprise and concern of such an outcome, the Privacy Shield invalidation was an announced failure for most of those acquainted with the very different views on privacy held by the US and the EU, and on the not very successful diplomatic history regarding transatlantic treaties on those matters.
(photo by openDemocracy)
The Privacy Shield, a problem child born on the Harbor
Back in the late 80's, Europeans started to concern themselves with how their personal data was being stored and processed. As a consequence, came the Safe Harbor decision in 2000, establishing privacy principles on EU-US personal data transfers for commercial purposes. Nevertheless, the Amendments Act of 2008 to the US Foreign Intelligence Surveillance Act (FISA), adding the controversial Section 702 empowering NSA's PRISM program and exposed by Edward Snowden, resulted in an increasing distrust from the European side, resulting in its invalidation by the CJEU in 2015. Politicians and businesses tried to save the agreement with a slightly improved and patched version -- the Privacy Shield --, in 2016. However, the CJEU didn't swallow it and nullified the agreement. So, what to do now?
Things don't look very shiny for the American counterpart. As there was no period of grace in the court decision, at this time you or your contractor should already have implemented (or is implementing) the measures determined by the Court, with the risk of being fined by some European data protection agency. Some recent examples show that they are not taking it easy: on October 2020, H&M's Service Center in Hamburg had a 35.3 million Euro fine for the unlawful monitoring of several hundred of its employees by its management, and Twitter was fined on more than US$ 500,000 on December 2020 by Ireland's Data Protection Commission for having failed to notify a data breach on time and to adequately document the breach.
Now you may be thinking, "I am in the US, so I am not under the jurisdiction of this European court, they have nothing to say about the way I run my business". This is true, at least in part, because the European Union changed its approach toward the definition of personal data. With its growing importance as an asset to both companies and governments, the EU's General Data Protection Regulation (GDPR), that entered into force in 2018, started to consider data as a highly valuable good, and as so, subject to certain export rules, as any other good. Therefore, when your company processes or stores personal data in the US, you are importing this good named "personal data'' from the EU and executing the tasks your business partner asked you.
The Privacy Shield was like a "free trade agreement" regarding the importing of European data. With its annulment, you fall under stricter rules to be able to keep importing this data, which are: adopt appropriate safeguards and provide a level of protection equivalent to that found on European countries. The "appropriate safeguards'' demanded by the GPDR are one of the following:
- standard data protection contractual clauses (SCCs): adding special, previously EU approved clauses in your contract;
- ad hoc contractual clauses: tailored to your business specificities, but more risky, as they are not previously approved as the SCCs:
- binding corporate rules: for groups of enterprises;
- codes of conduct;
- certification mechanisms: by now they are few, and normally quite costly.
In general, the simplest way for small and medium enterprises to adopt these "appropriate safeguards" is by employing SCCs, for having been written and previously approved by the EU. But remark that they will change soon. And you will have to change your clauses again! Here is their draft text, still subject to modifications.
In addition to those appropriate safeguards, companies must provide an equivalent (but not identical) level of protection that one would find inside the EU. To implement this there is no one-size-fits-all formula. The EU states that those measures should be taken on a case-by-case basis, according to the kind of operation being performed, and the kind of data being stored/processed.
For it, you should first make an assessment on the intrinsic risks of your activity, like hackers, infrastructure and the like, and indicate what measures you will take to counter these risks, like strong cryptographic keys, secure servers, measures to avoid loss of data and damage to devices, etc. Until there, nothing new, you would probably say. The new issue is that the CJEU stated that the Section 702 of FISA and the Executive Order (E.O.) 12333:
"Allow the surveillance of individuals who are not United States citizens located outside the United States in order to obtain 'foreign intelligence information', and provides, inter alia, the basis for the PRISM and UPSTREAM surveillance programmes. In the context of the PRISM programme, Internet service providers are required, according to the findings of that court, to supply the NSA with all communications to and from a 'selector', some of which are also transmitted to the FBI and the Central Intelligence Agency (CIA)".
Moreover, "Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes."
The most concerning, according to the CJEU is that "data subjects have no right to an effective remedy" in the courts against US authorities. This doesn't relate only with data inside the US, but also passing by it through its backbones. In the UPSTREAM program:
"Telecommunications undertakings operating the 'backbone' of the Internet -- that is to say, the network of cables, switches and routers -- are required to allow the NSA to copy and filter Internet traffic flows in order to acquire communications from, to or about a non-US national associated with a 'selector'. Under that programme, the NSA has, according to the findings of that court, access both to the metadata and to the content of the communications concerned."
CJEU's building (photo by katarina_dzurekova)
Here lies thus the big challenge for American businesses and their European counterparts. They have to implement technical measures that avoid the access to the data they store/process by the US government under FISA and E.O. 12333 while at the same time abiding to American laws. This could include, for example, a statement, followed by the necessary technical measures, that they have not left purposefully open backdoors or spyware in their systems, encrypting everything, handling cryptographic keys to the European counterpart and don't keeping a copy of them, anonymizing or psedonymizing data before receiving it, not keeping logs or deleting them as soon as possible, etc. However, if this seems impossible due to the nature of your business, you unfortunately will not be able to store/process personal data from the EU in the US and should stop doing it immediately.
A Great Challenge for US Companies
American and European companies will have to use all their creative power to develop such challenging tools that comply with both US and EU law. Whether you are in the European Union or in the United States, check with your transatlantic business partner if you are fully compliant. The Court's decision is in force since July 2020, without a period of grace, and, as you saw, the measures to be implemented are not easy and are time-consuming. Moreover, the several European data privacy agencies are being tough with non-compliance, imposing hefty fines.
- The General Data Protection Regulation (GDPR): https://gdpr-info.eu/
- EDPS Website Evidence Collector, a free and open source software developed by the European Data Protection Supervisor for the automation of privacy and personal data protection inspections of websites: https://edps.europa.eu/press-publications/edps-inspection-software_en
- GPDR Checklist: https://gdpr.eu/checklist/, a lengthy checklist of all that must be implemented, with some templates and FAQs
- The European Data Protection Board's recommendations and examples for implementing those measures: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf