After Privacy Shield - will Standard Contractual Clauses be enough to calm customer nerves around data transfer?

The striking down of EU/US Privacy Shield data transfer arrangement by Europe’s highest court yesterday wasn’t unexpected, but the finality of the court’s decision - no appeal allowed - leaves a number of key questions in its wake for the tech sector. 

It’s important to note that while the Court of Justice of the European Union (CJEU) brought down Privacy Shield itself, it did not rule out tech vendors continuing to send data across the Atlantic, subject to certain conditions. As privacy activist Max Schrems himself pointed out: 

The Court explicitly highlighted that the invalidation of the Privacy Shield will not create a 'legal vacuum' as crucially necessary data flows can be still undertaken. 

What the Court did do was to support the continued use of Standard Contractual Clauses (SCC) and determined that these offer “sufficient safeguards on data protection for the data to be transferred internationally”, again subject to some conditions. In this case, there will be an onus on those sending data outside the EU for processing to guarantee that the destination is a location that has a data protection regime compliant with European law. 

Given that trillions of dollars/euros worth of digital economy business is at stake here, the European Commission’s Justice Commissioner Didier Reynders was quick to move to calm nerves by insisting after the Court’s judgement came down that transatlantic data flows can indeed continue. 

That said, the current approved EU form of template SCCs pre-dates the advent of GDPR, so there is work that needs doing to update them, work that’s now all the more urgent. Reynders again says this is in hand: 

We have been working already for some time on modernising these clauses and ensuring that our toolbox for international data transfers is fit for purpose. Standard Contractual Clauses are in fact the most used tool for international transfers of personal data and we wanted to ensure they can be used by businesses and fully in line with EU law. We are now advanced with this work and we will of course take into account the requirements of judgement.

In the meantime, Data Protection Authorities in individual countries will need to take a view on whether companies sited geographically within their regime have made the necessary checks on the protection regime of the data recipient country and to suspect or ban transfers taking place if they have not or if the destination is deemed unsafe. 

From that perspective, what remains to be seen is how rigorously various data protection officers will interpret and police this. In the immediate aftermath of the formal ruling, there’s a lot of hedging going on. For example, the UK’s Information Commissioner’s Officer says it is “considering the judgement”, but will “support UK organizations” to ensure global data flows continue, while the Irish Data Protection Commission says this is “ an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis”. 

Tech reassurances 

If it’s not to be a case of caveat emptor in the near term, digital services providers and tech vendors will need to reassure their customers that their data is indeed safe to travel and some have already moved to do just that,

Back in 2016, when Privacy Shield was first shoved out the door barely-dressed, Microsoft was quick to boast of being “the first global cloud service provider to appear on the Department of Commerce’s list of Privacy Shield certified entities”  Flash forward to today and Julie Brill, Chief Privacy Officer at the firm, wants to make one thing clear: 

If you are a commercial customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.

For years we have provided customers with overlapping protections under both the Standard Contractual Clauses (SCCs) and Privacy Shield frameworks for data transfers. Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our commercial customers are already protected under SCCs. Today’s ruling also does not change data flows for our consumer services. We transfer data between users, for example, when one person sends email or other online content to another. We will continue to do so in compliance with today’s ruling and further guidance from EU data protection authorities and the European Data Protection Board.

Brill also pledged that Microsoft would work with both the EU and US authorities to address the issues raised by the CJEU in its ruling: 

We recognize the Court raised some important topics for governments to consider as they set policy on how data moves across borders...Privacy is an ongoing journey, and today’s ruling is not the final word. Our customers can be assured that we are committed to ensuring their data will continue to flow through our services, that we’ll continue our work to provide greater protections based on the issues raised in today’s ruling, and that we’ll work collaboratively with governments and policymakers as they shape new approaches.

Meanwhile Lindsey FInch, Salesforce’s EVP for Global Privacy and Data Protection, has a similar message: 

Salesforce customers do not need to take any action to continue to use our services in compliance with European law. Our existing Data Processing Addendum already contains both the SCCs and Salesforce’s Processor Binding Corporate Rules (“BCRs”)  to legalize the transfer of EU personal data to our service. Neither of these mechanisms were impacted by the CJEU ruling today.

At Salesforce, trust is our #1 value. Our privacy model is simple: we do not use or share our customers’ data and our job is to do our best to keep it safe. We provide a comprehensive privacy program, including resources that document our compliance and help our customers on their own privacy journeys. 

In fact, Salesforce’s BCRs pre-date the SCCs associated with Privacy Shield, she notes:

BCRs, which were not at issue in the CJEU decision, are company-specific data protection policies that are widely viewed as the “gold standard” of EU personal data transfer mechanisms. This is because BCRs must adhere to strict criteria (including meeting requirements about government requests for EU personal data), be approved by EU data protection authorities, and require ongoing reporting to EU data protection authorities. 

Some vendors are keeping their powder dry so far, most notably Facebook, whose sending of personal data to the US from Ireland was the trigger for the court case that led to the striking down of Privacy Shield this week.  Eva Nagle, Associate General Counsel at Facebook, will only say: 

Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure,  We look forward to regulatory guidance in this regard. 

My take 

That guidance Facebook seeks will be needed as the implications of the ruling in practice become clearer. Already Max Schrems’ NOYB (None Of Your Business) activist group has moved on from Schrems original position on the SCCs, now arguing that it’s incorrect to say that data flows continue to be legal after SCCs, stating: 

The CJEU has made it clear in its ruling that even within the SCCs a data flow must be stopped if a US company falls under this surveillance law. This applies to practically all IT companies (such as Microsoft, Apple, Google or Facebook) that all fall under FISA 702. Just because there is this "stop" within the SCCs that makes it impossible to use them in such cases, the SCCs were not declared invalid.

The statement that a data flow to the USA under the SCCs remains legal is therefore wrong. This would only be possible if a US company is not subject to any monitoring laws (e.g. an airline, a bank or a retail business). Consequently this is also not a "half win", as 100% of the outsourcing that may be subject to US surveillance is not allowed - no matter if under Privacy Shield or SCCs.

That’s a position that the tech sector is not going to be comfortable with. Placatory noises from Brussels and Washington yesterday have been reassuring, but it seems likely that a far more robust delineation of what’s acceptable and what isn’t is going to be needed in the days and weeks ahead. That’s going to be mean both sides of the Atlantic playing nicely - or at any rate, more nicely than we’ve seen of late.  What the political response might be, we’ll consider in a follow-up article.