Editors’ Note: This is the third in our fifth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Read our previous posts on Energy and Cannabis.
A year ago, transferring data from Europe to the United States was inconvenient but manageable. Thousands of companies participated in the Privacy Shield, an agreement between the United States Department of Commerce and the European Commission where data importers certified that protected Europeans’ data at European levels. These companies had to adopt measures that went far beyond US data protection requirements, but got seamless access to Europeans’ data in return. Companies that didn’t participate in the Privacy Shield could achieve the same result by similar means, most often by agreeing contractually to give Europeans’ data European-level protection. All they had to do was insert “Standard Contractual Clauses” written by the European Commission into their contracts and honor those contractual commitments.
No longer. This year, the Court of Justice of the European Union (CJEU) killed the Privacy Shield and maimed the Standard Contractual Clauses. Some Europe-to-US data transfers that were routine a year ago are now forbidden. Others are allowed, but only if companies are tech-savvy enough to thwart the US government. This coming year, companies will need to become more creative about how they process and protect Europeans’ data. They’ll also need to get used to processing data in Europe rather than the United States.
The event at the heart of the heart of the sea change is a July 2020 decision by the CJEU, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (or simply, Schrems II), which interpreted the European Union’s General Data Protection Regulation (GDPR). Under the GDPR, international data transfers may only occur in two cases, aside from occasional and non-repetitive transfers. The first case is when the European Commission has decided that the destination country provides an “adequate” level of protection – in other words, a level essentially equivalent the level it would receive in Europe. The Privacy Shield is an example of the first case. While the United States does not provide an essentially equivalent level of protection, the European Commission decided in 2016 it does when the American data importer is a Privacy Shield-compliant company. The second case is when the country doesn’t provide an adequate level of protection, but companies that transfers the data implement “appropriate safeguards” that ensure such a level. The most common appropriate safeguard is the Standard Contractual Clauses.
Schrems II demolished both ways of transferring data. First, Schrems II invalidated the European Commission’s Privacy Shield adequacy decision. It gave three reasons. First, the United States government conducts surveillance to a degree inconsistent with the protections Europeans would receive in Europe. Second, the United States does not provide effect judicial remedies for the government’s violation of Europeans’ privacy rights. Third, only the government can address these issues – companies cannot self-certify that the government won’t spy on Europeans’ data, and they can’t create effective judicial remedies against the government. This means that companies can no longer rely on the Privacy Shield to transfer data from Europe to the United States, and that no adequacy decision applies to the US.
Second, while Schrems II did not hold that there could be no appropriate safeguards for Europe-to-US data transfers, it did hold that ensuring an essentially equivalent level of protection might require supplementing the appropriate safeguards listed in the GDPR, such as the Standard Contractual Clauses. Further, if a company cannot ensure an essentially equivalent level of protection through appropriately supplemented safeguards, then those safeguards do not justify the transfers. Thus, for transfers to the United States, these so-called “supplementary measures” must prevent the US government from conducting too much surveillance. However, the CJEU did not say what these measures might be.
The European Data Protection Board’s Guidelines on Supplementary Measures
Enter the European Data Protection Board (EDPB). The EDPB is an EU agency that issues guidelines interpreting the GDPR. These guidelines are not binding on the authorities that enforce the GDPR, which are administered by Member States, but are influential.
In November, the EDPB issued guidelines interpreting the “supplementary measures” requirement under Schrems II. The guidelines describe three categories of supplementary measures: contractual, organizational, and technical. The technical measures are the most important for Europe-to-US data transfers: according to the EDPB, contractual and organizational measures alone cannot remedy an inadequately safeguarded transfer. This is because contracts among data importers and exporters, and their organizational structures, cannot prevent the government surveillance that precludes the US from providing essentially equivalent levels of protections.
But technical measures can be sufficient (as can a combination of technical, contractual, and organizational measures). The technical measures all rely on the principle that protection against government surveillance is adequate only if the government could not obtain data lawfully – how likely the government would do so is irrelevant. Thus, companies can provide an adequate level of protection in the US by (a) prior to export, encrypting the data so powerfully that the government cannot break the code, even by brute force, and (b) not sending the encryption key to the United States. (The key cannot enter the United States, even if sent separately, because then the government would have be able to lawfully use it to crack the code.) Assuming such a degree of encryption is possible, this solution could be effective for companies that want to host Europeans’ personal data in the US, or to route data through the US to a third country. But it would not work for many routine business purposes. For example, it would not allow a European arm of a US company to send European employees’ data to the United States for human resources (HR) purposes, since the American company’s HR personnel would generally need to access that data in unencrypted form.
Companies can also provide an adequate level of protection by sending pseudynomized (i.e., de-identified, but not anonymized) data to the United States without transmitting the re-identification key. This could partly solve the HR problem, as it would allow the European arm to send some employee data to the US headquarters. It also enables what the EDPB calls “split processing,” where some subset of data is sent to the US and other to a third country, and where neither subset can identify a person. But it would not work for types of data that cannot be pseudynomized, such as certain biometric data. And the EDPB stresses that data is adequately pseudynomized only if the government cannot re-identify the data subject using the information that it already has.
A final technical measure is to send sufficiently encrypted data to a “protected recipient,” defined as a person who is immune from the surveillance laws that otherwise render the level of protection inadequate. The data can be decrypted in the United States (but must be encrypted in transit) as long as the decryption key is possessed solely by the protected recipient, and is sufficiently secure itself. This measure should be combined with contractual and/or organizational measures that prevent the protected recipient from rendering the data unprotected, such as by forwarding it to an unprotected person. In the United States, this type of measure could be useful when feasible to transfer and store data in hard copy – FISA section 702, which the Schrems II decision cited when invalidating the Privacy Shield, only allows the government to collect data from electronic communications service providers.
The Path Forward
The EDPB’s supplementary measures may be sufficient for some contemplated data transfers. In these cases, companies should implement them. But in many situations they will not be adequate. Yet these cases do not necessarily require EEA data localization. There is still the option to effect some international data transfers using consent, although the GDPR prohibits more than occasional or repetitive consent-based transfers to countries that do not provide an adequate level of protection. Further, Member State data protection authorities, not the EDPB, enforce the GDPR, and may well find less cumbersome methods to be adequate. They will also have their own enforcement priorities, which so far have not emerged in the few weeks since the EDPB released its guidelines.