In 2018, the Irish High Court referred eleven questions related to the legality of trans-Atlantic data transfers to the Court of Justice of the EU at the request of the Irish Data Protection Commission. The CJEU had full discretion as to which questions it chose to answer. While many hoped the court would answer the full slate of questions to provide much needed clarity to businesses and regulators, plenty suspected it would skirt at least some given the practical, economic and political challenges behind them.
In its July 16, 2020 decision, the CJEU answered each question before it. And yet, I titled my overview of the CJEU ruling that day "The 'Schrems II' decision: EU-US data transfers in question," writing that “for privacy professionals today ... there may be more questions than answers.”
Seven months later, there still are.
To be clear, there have been many questions and answers in the interim. These questions and answers have come from regulators, governments, businesses and their lawyers in what seems a constant round robin. Transfer impact assessments, countless questionnaires, public consultations on the European Data Protection Board recommendations on additional safeguards and the European Commission’s draft new standard contractual clauses have all generated more questions and sometimes tentative answers.
Where does this leave us?
One answer is in need of a diplomatic solution. When U.S. Department of Commerce nominee Gina Raimondo appeared before the U.S. Senate Commerce Committee as part of her confirmation process, she too received many data flow-related questions — at least six in fact from Senators Wicker, Blackburn, Cantwell, Sinema, Rosen and Blunt. Will you prioritize efforts to finalize a new Privacy Shield?
She answered each with an emphatic, “yes.”
A second answer is that those questions, current answers, and lack thereof are instructive for privacy professionals, as well as policymakers and businesses in search of pragmatic solutions. Privacy professionals will continue, as they have for decades, following the volley of questions and answers, transforming those into practical reality to the greatest extent possible, and learning from their peers.
On Feb. 10, the IAPP hosted a web conference on making SCCs work in practice today to attempt to share the learning from these elusive questions and answers. Barbara Cosgrove, VP and CPO at Workday, Mason Weisz, shareholder at ZwillGen, and Anna Zeiter, CPO at eBay, participated. I served as moderator. The questions I posed to each stemmed, in large part, from the submissions to the EDPB’s public consultation process.
- How are Privacy Shield participants proceeding?
As a result of the "Schrems II" ruling, the Privacy Shield no longer provides a legal mechanism to comply with EU data transfer requirements. As a result, participants face myriad questions, including whether or not to re-certify to the Privacy Shield and how to comply with EU data transfer rules. In August, Bay Regulatory Strategy Group Founder Adam Schlosser shared his thoughts on the first question, making the case for recertification.
During our web conference, panelists agreed that there is value in continued participation.
Cosgrove said she considers Privacy Shield to be “more than just a data transfer mechanism.” She views it as “a way of demonstrating compliance” and “a commitment to customers” that is “embedded in internal policies and procedures.” Cosgrove also believes continuing to participate in Privacy Shield now will make the transition to an enhanced Privacy Shield program easier. Though she is optimistic that a new one is on the way, at the same time, she said it is important for companies to make clear to customers that they are not relying on Privacy Shield as a data transfer mechanism.
Weisz agreed, adding that many U.S. companies have contractual obligations to notify customers or counter-parties if they exit Privacy Shield. “Some companies,” he said, “do not want to make that kind of notification until they are very comfortable with what they are doing with standard contractual clauses” and have them in place with all of their sub-processors. It goes without saying that “comfort” is rarely associated with transfer mechanisms today, leading many to double up on protections.
Zeiter consulted eBay's lead regulator in Germany on how best to proceed. She said the regulator was definitive, saying “you have to act now … you can not wait for the new set of SCCs.” eBay worked to develop an “SCC-plus model” based on the current set of SCCs, the draft set put out by the European Commission and guidance from German regulators and informed the regulator of this approach. Of course, she added, eBay will have to replace these contracts yet again when the final SCCs are released.
- How are companies approaching transfer impact assessments?
The CJEU ruling requires EU companies and their foreign partners to assess the sufficiency of foreign protections on a case-by-case basis prior to transferring data. This is a tall order for even the largest companies and “insurmountable” for startups, according to the Danish Entrepreneurs's submission to the EDPB.
Today, many EU companies are now engaged in what the U.S. Mission to the EU termed a “perilous exercise,” conducting transfer impact assessments, often by sending questionnaires to their non-EU partners. The majority are based on the template that Max Schrems’ organization NYOB published, according to our panelists. They focus on whether the importer is subject to the U.S. Foreign Intelligence Surveillance Act Section 702.
In a minority of cases, Weisz said, questionnaires ask about the nature of the U.S. legal system in general. Some companies in a FISA 702 grey area feel pressure to say that they are not subject to FISA, according to Weisz. However, he noted, there can be privacy benefits to working with a company subject to FISA 702 given warrant requirements under the U.S. Electronic Communications Privacy Act for access to certain communications data. “It’s not black and white,” he said, explaining that much of the user data and content held by those sorts of companies receives greater protection against government access requests in everyday criminal investigations (which typically are more common that FISA 702 directives) than data and content held by companies that are not eligible to receive FISA 702 directives.
Zeiter said it was helpful to tailor a questionnaire to the company’s own operations. EBay created its own model and paired it with due diligence regarding transfers to its biggest service providers. The answers eBay received back have diverged: some complete the full questionnaire, others do not, and some return a template. Zeiter said this effort has been a huge undertaking, which would pose significant challenges for smaller companies.
As a processor, Cosgrove said, Workday chose to publish its TIA as a set of FAQs on its customer website so that they would be immediately accessible, cutting back on the need for the type of back and forth that Zeiter described.
- Should transfer impact assessments be risk-based and what does that mean?
The biggest question that companies, regulators and policymakers currently face in this area is whether or not TIAs should be risk-based. We saw a significant disconnect between the EDPB’s recommendations on additional safeguards and the European Commission’s draft SCCs. The EDPB suggested that companies should not rely on “subjective factors,” such as the likelihood of government access requests based on past experience; whereas the European Commission suggested that practical experience should be considered. Many company, association and even government submissions to the EDPB and European Commission signaled the necessity of a risk-based approach, aligned with the GDPR. (See Telefonica‘s, Employers of Poland‘s and the Dutch Government’s for instance.)
All three panelists answered this question with an emphatic yes.
Zeiter pointed to the GDPR as “the main source of truth” here, which supports a risk-based approach and balancing tests with other rights. Weisz looked at GDPR Articles 32 and 24 in particular, which place the onus on the controller to take account of “the risk of varying likelihood and severity for the rights and freedoms of natural persons” when implementing appropriate technical and organizational measures to comply. He said the risk that the U.S. National Security Agency is going to obtain information from a U.S. importer in the vast majority of cases is “vanishingly low.” Since this is far from the only issue that privacy professionals must deal with, Weisz suggested that a risk-based approach is a must to allow them to focus on what is most important to data protection.
- What additional safeguards are companies implementing in practice now?
When the IAPP and FTI Consulting surveyed companies this past August to inform our annual Privacy Governance Report, we found that most were putting in place a combination of contractual (53%), technical (50%) and policy-based (45%) safeguards on top of SCCs (88%). The EDPB recommendations seemed to suggest that technical safeguards and encryption, in particular, was the best — or only — bet in some circumstances.
Our panelists, however, strongly recommended that companies take a "holistic approach."
Zeiter said that encryption is only "part of the solution, but not all of the puzzle." In addition to their Binding Corporate Rules and newly adopted "SCCs plus," eBay looked into organizational measures, data minimization, and additional encryption measures. She also noted two trends she is seeing in the market: 1) companies are seeking partners that can offer services from "adequate" countries, and 2) companies are increasingly localizing services in the EU, which she said may not address the concerns at hand.
Such trends clearly add impetus to ongoing efforts by the European Commission and U.S. government to develop an enhanced Privacy Shield.
Weisz said that some of the recommended safeguards are more problematic than others and should be assessed based on the business context. For instance, commitments to notify the data subject of government access requests can run afoul of FISA 702 secrecy orders. On the other hand, Weisz said companies can more easily make commitments to challenge government access requests where there is a legal basis to do so, particularly when data is not of interest to U.S. intelligence authorities.
- How are companies approaching EDPB recommendations on remote access to data and cloud processing in the clear?
The EDPB outlined two use cases — numbers six and seven — in which it said encryption was not viable for business reasons, while suggesting nothing else offers sufficient protection. These use cases cover data processing in the clear by cloud service providers and remote access to data in the clear from a third country for business purposes. Public submissions to the EDPB focused a good deal of attention on these two use cases. See submissions from the Danish Government, bitkom and the Global Privacy Alliance, among others.
Cosgrove suggested focusing on what is operationally and technically feasible. She said companies are taking a risk-based approach here and documenting those risks and safeguards to demonstrate that they are taking compliance seriously. She cautioned that processing workarounds can exacerbate risks — sending data via email, for instance, or sharing it through less secure means rather than using centralized service providers with stronger protections.
Weisz pointed to an opening in use case six that may offer companies the possibility of architecting systems differently. Based on the EDPB’s text, he suggested the exporter could hold the encryption key and allow access to particular data in certain circumstances as needed, a solution some processors offer. He also said that companies should be mindful of the U.S. legal standard, which can force controllers or processors to provide data subject to certain protections if they have “possession, custody or control“ of the data. He said there are a variety of technical and organizational structures that can keep the data out of the hands of importers, which would mean that there is not a day-to-day data transfer, eliminating the need for SCCs as well.
- How are organizations allocating liability between the data exporter and importer?
With so many questions unanswered, liability questions arise: Who bears the cost if current answers and approaches are judged lacking and enforcement and litigation ensues? While it has been minimal so far, it is no doubt coming.
Weisz said a lot of companies want to impose full liability on the importer, but “it takes two to tango.” The exporter knows they are taking on this risk, so Weisz believes it is reasonable for importers to tie liability to their degree of fault and allocate responsibility between the exporter and importer, both of which are operating under difficult and uncertain circumstances to enable data transfers with a reasonable amount of protection.
- Where are we headed?
Our panelists largely expressed optimism and hope for a successor Privacy Shield and new risk-based SCCs to ease some tension in the interim.
They also expect some strict guidance from regulators and additional litigation. Weisz injected some realism, “It is not going to end with European data staying in Europe and in the countries that the European Union has recognized as having adequate laws. ... For the vast majority of companies, their transfers are going to continue without negative legal consequences, perhaps with a little more protection against some theoretical risks of government access to data that never come to pass.”
There will certainly be job security for privacy professionals, Zeiter concluded.
More to Come
During a podcast to recognize Data Privacy Day in January, Irish Data Protection Commissioner Helen Dixon was asked directly, as she has been many times before, “How are we going to solve international transfers?” She responded, “For most individuals, the answer is that they are not going to solve it … the policy and lawmakers simply need to engage … and negotiate robust solutions that are going to stand up to legal scrutiny….There is no short cut answer.”
And, so we wait, and ask and answer.
Photo by Emily Morter on Unsplash