To transfer or not to transfer, is that the question?
The answer is no. Most companies must transfer data – also to the US. An Austrian lawyer, Maximillian Schrems, has repeatedly filed cases about transfer of personal data to other countries. The so-called Schrems II ruling is about whether Facebook can transfer personal data from Europe to the United States.
Privacy shield invalid
In July, the European Court of Justice (CJEU) handed down a much-discussed ruling, affecting many companies: the legal transfer tool for transferring personal data to the USA, Privacy Shield, is now invalid. This is important for all Scandinavian companies that use American cloud services. The reason behind the ruling is that US intelligence has broad access to data in, or accessible from, the US. US intelligence' access to such data is broader than equivalent access in European countries and it lacks safeguards we have here.
SCCs and BCRs must be amended
But the Schrems II ruling goes even further. The alternative transfer mechanisms to Privacy Shield, the so-called EU Standard Clauses (SCC) and Binding Corporate Rules (BCR) are no longer sufficient by themselves. The companies exporting data must ensure that the security required by the Schrems II judgment is also met when these tools are used. Thus, implementing SCCs or BCRs is no longer a mere formality.
Data exporters and data importers have obligations under the SCC and must verify that these obligations can be complied with in practice. The verification or assessment required by the CJEU is part of the data controller's accountability obligations under the GDPR and, as such, must be documented by the data controller/exporter.
In practice, this means that each data exporter must carry out and document an adequacy assessment on the law of the destination country and form an opinion if there may be "any access by the public authorities of that third country to the personal data transferred". This is a legally complex assessment. This must be done, no matter to what country the export is.
For US, the main challenge is that there are intelligence laws that go before European privacy legislation and they can legally order US companies to disclose data - including data stored on foreign servers. How to contractually address this in order to ensure that the SCCs may not be circumvented is presently unclear.
The Norwegian DPA goas as far as to say that the possibility of achieving a similar level of protection in the US "is in reality very limited". The Swedish DPA has not yet commented upon the effects of the ruling.
As a minimum you must assess what types of US government surveillance apply to the data importer. In Schrems II, the CJEU discussed Section 702 of the US Foreign Intelligence Surveillance Act of 1978 ('FISA') that applies to data from 'electronic communication service providers.' But there are also other relevant laws and they often apply to most businesses in the US. One should therefore also assess whether the data importer historically has received requests or demands from US government and how likely it is that they may receive such requests or demands in the future.
EU data exporters should send questionnaires to US importers to help them carry out the above risk assessment. The same of course applies for transfers to other countries outside the EU.
What about other legal instruments – consent or contract?
Consent is certainly a possible mechanism, but it is purely theoretical. Few controllers may base themselves upon consent because it may always be withdrawn. It is not practical.
The same applies for the contract transfer possibility – the transfer must be objectively necessary for the performance of a contract and that will be the case in very few situations.
The consequence is that some companies now choose to move data back to Europe. But that is really not a practical approach. It would only be a solution if personal data is localised in the EU and there is no access from third countries – but that is not how most services are set up. Most often, there is a technical support from outside EU for odd hours. Further, this solution may even turn the services more costly for consumers, as selecting EU data centers, often come with a higher cost.
What other safeguards could be put in pace, depends on the results of the companies' risk assessment – it may be technical such as encryption, but it could also be organizational or legal.
If that is not viable, one may enable strong encryption of the data, but if that is possible or not depends on how the service is structured. A SaaS service can be more difficult to encrypt than a service where you have more control over the setup.
To make things even more complicated, the European Data Protection Board (EDPB) has said that there is no grace period to adjust to the CJEU decision and businesses need to take immediate actions in order to compliantly wish to continue transferring personal data outside of the EU.
New negotiations will be initiated between the EU and the US on an alternative to the Privacy Shield, but there is reason to believe that it will take time. Before the coming election, Trump will hardly agree to weaken US intelligence and if he wins the election, our guess is that we must wait until the next presidential period.
We wait eagerly for more guidance from the EDPB. Meanwhile, Schrems’ organisation, NOYB, has one month after the ruling filed 101 GDPR complaints on EU controllers continuing to send the data of each webpage visitor to Google US and Facebook US under PrivacyShield or SCCs – so this will not go away.