Why UC&C Providers Should Understand the Specifics.
In a bombshell announcement, Europe’s top court struck down a critical data-sharing agreement that permitted EU companies to transfer information about EU individuals to the United States for processing. Referred to as the EU-U.S. Privacy Shield, thousands of U.S. companies relied upon this mechanism for legal processing of data: Microsoft, Amazon, Google, Mailchimp, Salesforce, Pardot and thousands more.
What does this mean, and how will it affect the UC&C community? This article is written for the UC&C community, and unpacks examples of applicability, highlights reasons for the high court’s decisions, recommends next steps for UC&C companies to legalize data transfers to the United States, and discusses future decisions that may soon amplify today’s decision.
Those working in this space, please take the time to familiarize yourself with the following four sections.
Examples are Worth a Thousand Words
If you’re like me, some of you learn better by example. Here’s the first one.
Mailchimp Example. Consider the service provider that integrates Mailchimp into its systems to deliver seamless announcements to customers. EU names and email addresses, at a minimum, are necessary to transfer to the U.S. for processing (i.e., sending emails as service announcements). According to Mailchimp, its website as of 16 July says “Our servers are located in the United States. Because Mailchimp certifies to the Privacy Shield Framework, we can lawfully receive EU data.” Not anymore, Mailchimp. This is now unlawful, both for Mailchimp as well as the company that sends its data to the service.
Help Desk Example. In the second example, consider the situation where you—the service provider—maintains a service desk within the United States for customer support. When your support staff vets issues (i.e., works tickets), it is usually necessary to collect a customer’s name, email address and other data elements. Has your company certified itself under the EU-U.S. Privacy Shield Framework? If so, this is probably the mechanism by which you’re operating, meaning by which individuals collect, store, and process information associated with EU individuals.
Human Resource Department Example. In example three, consider an international service provider with offices in the EU and a human resource department in the U.S. When the HR department reviews or processes data of EU employees and contractors by relying upon the EU-U.S. Privacy Shield framework, it is no longer lawful to do that, even though it’s the parent company. Another mechanism must be implemented, and that is covered in section three.
If any of these examples are applicable to you, it is now unlawful to continue operating in this manner. As many know, the GDPR imposes substantial fines for unlawful processing of data, up to 20 million euros or 4% of the previous year’s annual revenue turnover, whichever is higher.
U.S. Secretary of Commerce Wilbur Ross said today the agency was disappointed with the decision. He hopes “to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies and governments.” This article also attempts to do that.
Why the Court Made This Decision: the History and the Now
The EU lost its trust of U.S. agencies starting in 2013, and with U.S. companies by association; it’s gone downhill since then. Here’s a recap, but you can skip this section if you already “get it”.
Remember the 2013 revelations of Edward Snowden regarding U.S. foreign surveillance? Snowden publicly disclosed how numerous U.S. intelligence agencies employed sophisticated surveillance systems such as PRISM to spy-on and access personal data of the international community. Even UC&C traffic was intercepted in real-time. For instance, the Guardian ran an article in 2015 that the NSA tapped the communication of many EU leaders, including Germany Chancellery and staff for decades, a country with a history that is intensely sensitive to privacy violations.
During this timeframe, an Austrian privacy activist and law student named Maximillian Schrems was concerned with the lackadaisical safeguards U.S. companies applied to the protection of information, specifically Facebook, and filed a lawsuit against the Data Protection Commission in Ireland. As a Facebook user, he claimed the platform was improperly transferring his data to servers within the United States where it would be subject to surveillance by the NSA.
These transfers, however, were lawful under the forerunner to the EU-U.S. Privacy Shield, called the EU-U.S. Safe Harbor Framework. In Schrems v. the DPC, the European Court of Justice struck down the Safe Harbor agreement on 6 October 2015 because it did not ensure a “safe harbor” for the information of EU individuals against U.S. surveillance systems that amass and analyze data.
After much negotiation and the passing of time, the replacement framework called the EU-U.S. Privacy Shield promised stronger assurances by U.S. companies. But has U.S. surveillance really stopped, and can the EU-U.S. Privacy Shield guarantee a heightened level of safety for information processed in the United States? Maximillian Schrems wasn’t convinced. Enter Schrems II, a case regarding the validity of lawful transatlantic transfers of data to the United States under the EU-U.S. Privacy Shield arrangement, which was invalidated today by the CJEU under case C-311/18.
What To Do Now?
Articles 45-47 of the GDPR permit several mechanisms for the lawful transfer of data to the United States for processing. The most popular are two: (a) the EU-U.S. Privacy Shield and (b) a mechanism called Standard Contractual Clauses (SCCs), also called EU Model Clauses. There are several types, and these are an EU contractual template that both an EU company and U.S. company must agree to and sign; it is legally binding and enforceable, and it must be accompanied by enumerated safeguards that the EU organization deems as adequate.
There are also other options such as Binding Corporate Rules (BCRs) or data subject consent, but these discussions are complex and warrant further discussion. My advice is to contact an experienced data protection firm with legal expertise in international data transfers that can step through the criteria and craft the right approach. If you have a data protection officer (DPO), they should be central to the discussion.
But the wrong approach is to do nothing, because it is now unlawful to process data under the EU-U.S. Privacy Shield mechanism, and at some point inaction may result in expensive prosecution.
For full disclosure, the adequacy of Standard Contractual Clauses are also under scrutiny. Ireland’s Data Protection Commission said today “the application of the SCCs transfer mechanism for transfers of personal data to the United States is now questionable.” As of this writing, SCCs continue to remain valid, but that could change as this evolves. Service providers may need to reconsider subjects such as data jurisdictional residency, meaning customers can choose where their data will be stored and processed, keeping EU data within the EU. Companies may also need to consider where help desk services are setup, keeping an EU help desk available for EU customers and a U.S. help desk for non-EU customers. These types of strategies should be part of one’s business strategy juxtaposed to international data protection compliance.
Nuances such as these are not limited to the EU. More than 100 nations around the world have implemented data protection regulations in recent years, not surprising given the growth of data-driven enterprises. For now, it’s best to partner with a data protection and regulatory compliance organization that keeps pace with these developments.
Meanwhile, I’ll aim to write future updates on this front as you digest the developments of today.