This blogpost will try to provide an overview regarding the EU-US and Swiss-US Privacy Shield Frameworks.
The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration in order for companies on both sides of the Atlantic to be provided with a mechanism which would help them to ensure compliance with data protection requirements during the transfers of personal data from the EU and Switzerland to the US.
The adequacy decision on the EU-US Privacy Shield was adopted on the 12th of July 2016 and the Privacy Shield framework became operational on the 1st of August 2016. On the 12th of January 2017, the Swiss Government also announced the approval of the Swiss-US Privacy Shield Framework.
The frameworks were aiming to protect the fundamental rights of anyone in the EU and Switzerland whose personal data was transferred to the United States for commercial purposes, provided that specific companies in the US were certified under the Privacy Shield. The Privacy Shield included strong data protection obligations on companies receiving personal data from the EU, safeguards on US government access to data, effective protection and redress for individuals, as well as an annual joint review by EU/Switzerland and US to monitor the correct application of the arrangement.
However, on July 2020, a ruling was delivered in the case known as Schrems II, in which the mechanisms for personal data transfers between the EU and the US were challenged based on the argument that US law cannot adequately ensure protection of EU personal data. The European Court of Justice (CJEU) issued a press release stating that the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield has been invalidated, although the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries was still considered to be valid. Furthermore, on September 2020, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-US Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the US pursuant to Switzerland’s Federal Act on Data Protection (FADP).
As a result of the above decisions, the EU-US and the Swiss-US Privacy Shield Frameworks are no longer a valid mechanism to comply with EU/Swiss data protection requirements when transferring personal data to the United States. But please note that these decisions do not relieve participants in the EU-US and Swiss-US Privacy Shield of their obligations under the frameworks.
In particular, even though the Privacy Shield is no longer a valid mechanism for data transfers to US from the EU and Switzerland, it is still a valid commitment toward certain data privacy requirements with which the companies should continue to be in compliance. In fact, it still provides a fundamental framework towards meeting GDPR obligations, including those covering data minimization, retention, and data subject rights. The CJEU decisions, as well as guidelines provided by the European Data Protection Board (EDPD) indicate that all data transfers must now be analysed on a case-by-case basis and provide additional safeguards or supplementary measures that demonstrate an essentially equivalent level of protection as the GDPR.
Specifically, the EDPB has issued its FAQs on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs). The guidelines provided require data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. In addition, the EDPB has recommended that a company must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. So, whether or not a company can transfer personal data on the basis of SCCs will depend on the result of its assessment, taking into account the circumstances of the transfers, and supplementary measures they could put in place. The same applies for Binding Corporate Rules (BCRs).
The EDPB considers that the applicable legal requirements to make the limitations to the data protection and privacy rights can be summarised in four guarantees, which provide that the processing should be based on clear, precise and accessible rules, the necessity and proportionality with regard to the legitimate objectives pursued need to be explicitly demonstrated, an independent oversight mechanism should exist, and effective remedies need to be available to the individual.
In order to ensure that all the above would be implemented, on November of 2020, the EDPD adopted specific recommendations for data transferring outside of the EU. These recommendations provide exporters with a series of steps to follow.
As a first step, the EDPB advises exporters to know their transfers by mapping all transfers of personal data to third countries. A second step is to verify the transfer tool on which the transfer relies on. A list of transfer tools is included under Chapter V of the GDPR. A third step is to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools the exporter is relying on, in the context of the specific transfer. The fourth step is to identify and adopt supplementary measures that are necessary to ensure an adequate protection of the data transferred. These recommendations contain a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. A fifth step is to take any formal procedural countermeasures to ensure the adoption of the supplementary measures. The EDPD recommendations specify these formalities. The sixth and final step will be to re-evaluate at appropriate intervals the level of protection afforded to the data transferred to third countries and to monitor if there are any new developments that may affect it.
The EDPD states that the supervisory authorities will continue developing guidance for exporters and coordinating their actions to ensure consistency in the application of EU data protection law. Specifically, on August of 2020, the US and EU announced that they will work together to “evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with” the CJEU judgment. So, the Privacy Shield may return in a new form.
We hope the article gave you an idea regarding the Privacy Shield and its invalidation, and provided you a starting point if you want to research the subject in depth.
Until next time.