By: Tom Blijleven & Matthias de Bruyne
Many European businesses use software hosted outside of Europe, with the United States being the largest supplier. When the GDPR was introduced in 2018, data traffic from the EU to the US was already in question. However, with the Privacy Shield framework in place, those data transfers were still legal. Until now.
What was the Privacy Shield framework?
The Privacy Shield aimed to enable the exchange of personal data between the European Union and the United States. In doing so, it served as a guarantee that US-based companies could still store European data without violating the GDPR (General Data Protection Regulation).
The GDPR states that Europeans may exchange data with countries considered secure enough: the adequacy decision. The United States, however, fell outside that safe list, mainly due to FISA702.
To still be able to 'trade' - a.k.a. use software from the US, the Privacy Shield program was set up. With the invalidation of this program, the legal ground for organizations within the EU to exchange data with the 5000+ US organizations affiliated with the Privacy Shield also disappears.
Why was the Privacy Shield declared invalid?
The reason the US is not on the "safe" list is the same reason the CJEU ultimately rejected the Privacy Shield. The US law allows its government agencies to interfere with data within the private sector, i.e., the infamous FISA 702. This interference is at odds with the basis of the GDPR, designed to protect consumers' data.
This conflict worried privacy activist Maximilian Schrems (hence, "Schrems II") so much that he filed cases to stop data exchange between the EU and the US. Besides this case (about the Privacy Shield), Schrems already won the case about Safe Harbor ("Schrems I"), which had a similar scope.
Ultimately, the Court of Justice of the European Union (CJEU) chose Schrems' side and declared the framework invalid.
What's the impact of Schrems II on my business?
The implications of the Schrems II ruling are significant. It complicates data transfers to third countries. In practice this has a significant impact on data transfers to the United States. It might mean that, without adequate safeguards, you can no longer use the nearly 5,500 providers on the Privacy Shield list for your organization.
Because FISA702 aims at "electronic communication services", this ruling affects virtually all marketing tools within your organization. The verdict concerns not only the marketing tool itself but also the sub-processors used by these tools. For example: if your European email marketing tool uses a US-based company to deliver the emails, the EU-made marketing tool cannot be used without a Transfer Impact Assessment and (if necessary) additional measures to safeguard the data.
What are electronic communication services?
According to EU law, electronic communications services are services provided using electronic signals over, for example, telecommunications or broadcasting networks. For your business, examples are your cloud storage provider, your email software, analytics tool, (social) marketing software, and your video call software.
Does this ruling apply only to the United States?
The ruling, in this case, looks specifically at data transfers from the European Union to the United States. However, as with any jurisprudence, the verdict does affect similar situations in other countries.
US services with a European branch
The biggest problem with the US regulations is that US intelligence agencies have access to all personal data of non-Americans processed by a US electronic communications service. These organizations can therefore be required to share these data with the government, regardless of their physical location.
What data is involved?
Sharing personal data with the US only covers the sharing of data that relates to others. When an individual sends his or her own personal data to the US, this action can be considered consent under the GDPR. The GDPR doesn't cover data transfers without personal data: 'Necessary' incidental data transfers (e.g., for a hotel booking in the US) fall under Article 49 of the GDPR and thus outside the Schrems verdict.
What you can do to make sure you're GDPR compliant
If you're currently using US providers or tools that have US sub-processors, here's what you can do to get your GDPR compliance back on track:
1. Map your data traffic accurately
The first step in getting your marketing solutions compliant is to map and define your current solution(s) and their subprocessors. You can do that using these three questions:
- In which countries does the supplier have data centers? (often found in the data proessor agreement);
- Do American citizens have (physical) access to these data centers?
- Have agreements been made, or can arrangements be made with the supplier?
If the answers indicate that the software could be subject to FISA702, the exchange of data with this provider is subject to additional legal requirements.. To still provide some safeguard, Standard Contractual Clauses are put in place by a lot of US providers. However, these SCCs should be accompanied by effective technical and organizational measures to protect customer data. It is up to the ‘data exporter’ to do a Transfer Impact Assessment and determine if additional safeguards are required.
Can you not guarantee that the data is sufficiently protected in the US. Or are there no additional measures in place, such as adequate encryption? Then you should seriously consider whether you can continue to use that tool.
2. Choose EU data storage whenever possible
Some US providers have the luxury of renting multiple data center locations and can give you the option to make agreements on data storage and transfers. Some providers choose to set up a sister company in Europe to comply with local regulations. AMS-IX did something like that a few years ago to curb interference from the US government.
Not sure if your provider sends personal data to the US? Whether these organizations fall under US intelligence legislation or work with sub-processors that fall into that category? The NOYB has two model requests that you can use to find out. After this, you can decide whether you sign an SCC with this party.
If even after your efforts, you're not sure about data exchange with the US, it may be wise to look for alternatives within the EU border.
3. Switch to EU alternatives
Do you use software that is quite easily replaceable by an alternative within the EU? Make a shortlist of EU providers and find the best alternative to your situation. Although there's still some skepticism about the maturity of European software, there are (surprisingly) good alternatives within the confines of the GDPR:
Consequences when using US based software
Plainly put, if you continue using GDPR non-compliant services, you're violating the GDPR yourself.
Matthias de Bruyne (DDMA):
"Violating the GDPR means that as an organization, you run the risk of a fine of up to 20 million euros or 4% of global turnover, as described in the GDPR (nuances aside)"
If, for a legitimate reason, you're unable to get GDPR compliant in the short term, make sure to communicate your efforts clearly to those involved. Map out a roadmap to GDPR compliance, where you list the steps you need to take and how you're planning on taking those steps.
Should a data protection authority (e.g. ICO) ask questions, make sure that you at a minimum can demonstrate that you are working on it.
- CJEU invalidates “Privacy Shield” in US Surveillance case (read here);
- Bavarian DPA Holds SCCs Alone Not Enough for European Use of US Email Service (read here);
- Privacy Shield invalidated: How to be GDPR compliant again (read here);
- Next Steps for EU companies & FAQs (read here)
About Matthias de Bruyne
Matthias De Bruyne is Ads Privacy Lead, Northern Europe at GoogleHe provides legal support for issues within marketing campaigns and gives advice and information on legal developments. His focus is on the practical application of legislation, rules and guidelines to marketing practice.