On 16 July 2020, the European Union Court of Justice (CJEU) passed judgment C-311/18 (Schrems II), invalidating the US-EU certificate programme Privacy Shield, which ensures data transmission security.
Prior to that, a US company holding a Privacy Shield certificate could process the personal data of EU residents without having to provide any additional guarantees to ensure the security of data processing. For example, both Google and Facebook used Privacy Shield to process the data of EU residents in the United States.
Facebook and Google under scrutiny
Maximilian Schrems is an Austrian lawyer thanks to whom the personal data processing practices of internet giants Facebook and Google are under close scrutiny. Privacy Shield is the second US-EU data transmission mechanism that Schrems has sunk. The CJEU decision was clear – Privacy Shield does not guarantee that US companies, particularly the ones that are subject to U.S. Code §1881a (‘FISA 702’) or transmit data to the US Government in accordance with Executive Order 12.333, process the personal data of EU residents as securely as required by Regulation (GDPR). The court concluded that the US mass surveillance practices lack adequate protection measures and restrictions which would meet the ‘balance’ principles in EU legislation, and that EU data subjects don’t have access to compensation or legal remedies if their data are misused.
The judgment did not bring much clarity as to what to do
The CJEU judgment said the data cannot be transmitted to the US using Privacy Shield, but neither the court decision nor data protection supervisors explained how the security of data processing in the US should be ensured. The absence of guidance did not, however, mean a grace period, as the judgment appliesimmediately.
Two months after the CJEU judgment, Schrems and his NOYB (my privacy is none of your business) organisation filed a complaint with data protection supervisors on 101 companies whose websites continued to use Facebook Connect and Google Analytics, which Schrems and NOYB find to be in clear conflict with the decision of CJEU.
Those 101 companies are not the only ones in breach of the CJEU decision. International law firm Fieldfisher conducted a survey in its blog and on LinkedIn on how companies intend to apply the changes arising from the Schrems II judgment. They found out that the data processors or co-controllers of 75% of the respondents are in the United States or outside the European Economic Area (EEA), which shows how wide the impact of the CJEU decision actually is. Despite the collapse of Privacy Shield, a mere 12% of the respondents are planning to replace their existing processors or co-controllers with the ones in the EEA. Only 5% said they would no longer export data. The result of the survey gives a clear example of how far the regulative and legislative practices are from the real data transfer practices of today’s business world.
Estonian companies need not worry yet
The effects of the invalidation of Privacy Shield will also be felt in Estonia, although no one has as yet filed a complaint with the Data Protection Inspectorate with regard to a company still using Privacy Shield for transmitting data to the US. As long as the concept of the administrative fine has not yet been introduced to Estonian legislation, companies in Estonia can rest easy and don’t have to fear data protection fines. However, the administrative fine concept is in the process of being introduced to Estonian legislation (for more details, read here).
What does this mean for an Estonian company in practice? It is worth reviewing your list of processors, particularly cloud service providers: how many of them are located in the US or state in their contract (or general terms and conditions) that they transmit data to the US? What is the legal basis for such data transmission? If that is Privacy Shield, you should consider whether it would be sensible to introduce Standard Contractual Clauses (SCCs) or to replace the particular processor with a processor located in the EEA. If you are already using SCCs for data transmission to the US, you should review these to ensure that the security requirements in the SCCs are sufficient. In other words, carry out a data protection impact assessment and decide whether the data protection and information security measures you are using are adequate. You should do this even if different data protection institutions in Europe are yet to agree on whether the use of SCCs is actually lawful or not.
Although the main focus of data protection supervisors and opportunistic informants will at first be on global enterprises, Estonian companies, particularly those who also operate in other European countries or on a global level, have to be ready to face a fine if they fail to bring their personal data transmission to the US into line with the CJEU decision.