The EU General Data Protection Regulation (GDPR), which has been in effect the European market since 25 May 2018, requires companies to meet certain standards when transferring personal data to non-EU countries or "third countries" (see Article 44 et seqq. GDPR). The major requirements for transferring personal data to the US, the role of the EU-US Privacy Shield and other privacy options are listed below.
1. Where will you encounter data transmission to the US?
Personal data may be transferred to the US as part of a centralised administration of data by an American parent company or if a company is using US service providers for HR management. Data, however, may also be transferred "behind the scenes" if a company is using a cloud for customer data and the provider's servers are located in the US. Personal data may only accessible from the US (Disclosure by transmission, see Article 4 no. 2 GDPR). Simply put, whoever enters personal data into a data network accessible in the US is "transmitting" data to the US.
2. What must be considered when transferring data?
Under the GDPR, any transfer of personal data to a third country (or to an international organisation) requires a two-tier review. The justification of data processing alone is not sufficient, such as in the German Data Protection Act. The GDPR sets out legal requirements for transferring data to a third country, including adequacy decisions, appropriate safeguards and the data subject's consent.
- Transfers on the basis of an adequacy decision, Article 45 GDPR
It is fairly straightforward to transfer data to a third country if that country in the judgement of the European Commission (EC) enjoys an adequate level of protection.
Previously, under Directive 95/46/EC, the EC determined adequate protection by employing an adequacy decision based on the third country's international commitments. EC adequacy decisions adopted before 25 May 2018 will remain in force under the GDPR, and currently include Canada, New Zealand, Argentina and Switzerland, which are considered "safe third countries for data protection purposes". The EC has not adopted a general adequacy decision for the US, but has attached conditions for the transfer of data to there (see the fourth point below), and data can be transferred to any third country that meets this standard.
- Appropriate safeguards, Article 46 GDPR
In the absence of a decision by the EC, personal data can be transferred to a third country only if appropriate safeguards enforceable data, subject rights and legal remedies for data subjects are available (Article 46 GDPR), such as the contents of EU standard contractual clauses or binding corporate rules (see paragraph 6 below.)
In principle, companies can transfer data to a third country (Article 49 GDPR) if they obtain consent from a subject, but they must be able to demonstrate that consented (Article 7).
In Germany, the Data Protection Act considers the employment relationship as justification to seek consent. However, under section 26 (2) Data Protection Act, an employer must assess in each individual case whether consent was freely given: "In particular, the employee's level of dependence in the employment relationship and the circumstances under which consent was given must be taken into account." As of 25 May 2018, German employees must submit written declarations of consent, and must received a written statement from the company about the purpose of the data processing and their right to withdraw consent at any time.
In general, consent is neither legally certain nor practical for data transfers to third countries since employees only give consent in particular cases. Also, employees may withdraw consent at any time, and obtaining consent generates considerable red tape.
3. Why did the EC negotiate the Privacy Shield?
The forerunner to the Privacy Shield was the EC's 2000 Safe Harbour Decision, which applied the "Safe Harbour Privacy Principles" of the US Department of Commerce. More than 3,200 US companies used this self-certification, but on 16 October 2015 the European Court of Justice (CJEU) declared the Safe Harbour Decision invalid because it promoted US national security over safe harbour principles. US authorities were able to demand personal data without restriction even from self-certified companies. The CJEU held that giving US intelligence access to communications that cannot be monitored by the courts is incompatible with EU privacy law.
After this ruling, the EC negotiated the Privacy Shield as its successor.
4. What is the Privacy Shield?
The Privacy Shield is powered by a new EC decision, oversight by US authorities and a key data protection principles.
In its most recent decision on the matter, the EC declared the transfer of data to the US permissible under certain conditions (Commission Implementing Decision (EU) 2016/1250 of the European Commission of 12 July 2016), including self-certification set out in the Safe Harbour Decision and a determination to comply with data protection principles set out in an annex to the decision. Certification must be renewed every year. The US Department of Commerce, which publishes a list of self-certified companies, will review whether certified companies are complying with regulations.
In the Privacy Shield Annex, US authorities has established safeguards against "restrictive data processing", but reserve the right to collect data for national security purposes.
Parallel to monitoring by the US Commerce Department, the EC has reserved the right to review whether the US is maintaining an adequate level of protection, and is committed to publishing an annual report on the adequacy of Privacy Shield protection (Article 4 (4) Commission Implementing Decision 2016/1250).
The EC ensures legal protection to EU citizens by requiring self-certified US companies to offer services such as an independent ombudsman free of charge. The US State Department will provide an ombudsman to address complaints from EU citizens about data accessed for national security purposes. EU-based employees can bring any complaints about data protection to the competent company authority in the country where they are working. US companies must cooperate in any subsequent investigations and comply with advice given by EU authorities.
5. Why should companies consider other options?
The Privacy Shield was fiercely criticised almost immediately. The Data Protection Working Party, the forerunner of the European Data Protection Board questioned US security agency access to data, and dismissed their safeguards to restrict arbitrary access to personal data as vague.
- Escalation and transposition deadline of 30 October 2018
The EC determined that an adequate level of data protection was necessary under the Privacy Shield during an annual review on 18 October 2017. In its report, the EC recommended that the US could improve data protection by pro-actively and regularly monitoring compliance and appointing an ombudsman to deal with complaints by EU citizens.
The US has not complied with these requests. In 2018, Congress extended the enabling provision for foreign intelligence and failed to grant foreign citizens – including EU nationals – rights against surveillance by US security agencies. In July 2018, the European Parliament passed a resolution concluding that the Privacy Shield did not offer an adequate level of protection. After the US did not demonstrate compliance by 1 September 2018, the European Parliament pledged that it would ask the EC to withdraw from the adequacy decision. The EU Commissioner for Justice, Vera Jourová, issued a request to the US Secretary of Commerce in October 2018 asking that it fulfil its commitments and stating that if it did not, the EC might conclude in its second report (due at the end of the month) that data protection provided by the Privacy Shield is inadequate.
Currently, there is good reason to fear that the EC may decide to "pull the plug" on the Privacy Shield.
- The CJEU's right to reject
The Privacy Shield is also at risk of rigorous control from the CJEU, which has been able to monitor it through preliminary ruling proceedings in a case involving an EU citizen who complained to the Irish Data Protection Commissioner about the transfer of personal data by Facebook Ireland Ltd. to its US parent company. The case explicitly concerned the adequacy of protection afforded by the Privacy Shield, and its ombudsman. Since US authorities are currently able to secretly access personal data, concerned EU citizens would have to find out if their data had been accessed before seeking protection from the ombudsman, which is currently impossible under the Privacy Shield. In their Safe Harbour Decision, the CJEU emphasised their position: adequate data protection includes effective legal protection. Hence, it remains to be seen whether the CJEU will rule that the Privacy Shield offers sufficient effective legal protection.
6. What alternatives are there to the Privacy Shield?
Companies will have to look for other options if the ECC abrogates or suspends the Privacy Shield, or the CJEU rules that it is ineffective. (Either decision would make it unlawful to transfer personal data to the US under the GDPR.) In practice, one option European companies may turn to is EU standard data protection clauses (i.e. EU standard contractual clauses).
- EU standard data protection clauses, Article 46 (2) d) GDPR
EU standard contractual clauses are model contractual works, and companies can ensure an adequate level of data protection by incorporating these clauses into an agreement on data transfers to third countries. At present, there are three models: one model for transfer to a controller-processor and two for transfer to other controllers (see option 1 and option 2). EU standard contractual clauses issued before the GDPR came into effect will continue to apply (Article 46 (5) sentence 2 GDPR).
The disadvantage of these clauses is that users cannot amend them. Data protection is only guaranteed and data transfer to a third country only permitted if users fully agree to the model without changes. The model agreements also require that users fill out the annexes, requiring the inclusion of precise data and the purpose of the processing.
Despite this, the advantage for large corporate groups is that standard data protection clauses can be included in a wide framework agreement that simplifies data processing within the corporate family.
- Binding corporate rules, Article 47 GDPR
Countries can also rely on binding corporate rules (BCRs) when transferring data to third countries. If a company in a corporate group is established in the EU and agrees to comply with BCRs, data transfer is permitted within the group, but not to external parties.
BCRs apply general data protection principles, confer enforceable rights on data subjects (i.e. through complaint procedures) and require data protection training for personnel. But not that I nformation on BCRs must be made available to data subjects, and BCRs first need to be approved by the national regulatory authority, which companies need to make allowances for.
- Certifications, Article 46 (2) f) GDPR
Data can be transferred to a third country if there is approved certification, but details of this certification process have not yet been clarified. Until guidelines are issued, this is not a legally safe option.
- Individual clauses, Article 46 (3) a) GDPR
The GDPR allows data transfer to third countries on the basis of other safeguards, which require separate approval from the regulatory authority.
If transferring data requires special regulations not included in EU standard data protection clauses (as explained above), "individual data export agreements" may be drafted. However, these agreements cannot set the level of protection below EU standards, and the appropriate supervisory authority must approve them.
No absolute legal certainty
In conclusion, the Privacy Shield does not give companies absolute legal certainty when transferring personal data to the US. Due to the uncertain future of the Shield, companies are advised to regularly review their own policies on international data transmission and consider other options. This is the only way to be prepared should there be sudden changes to the current system.