28
Thu, Mar
51 New Articles

EU-US Data Transfers Questionable – Privacy Shield Declared Invalid

EU-US Data Transfers Questionable – Privacy Shield Declared Invalid

Serbia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On 16 July 2020, Court of Justice of the European Union (“CJEU”) has rendered a landmark decision declaring the Decision 2016/1250 of the European Commission on the adequacy of the protection provided by the EU-US Data Protection Shield (“Privacy Shield Framework”) invalid with the immediate effect. This decision has caused a major shift in the way in which personal data may be transferred to the United States of America. However, the scope of the decision is far broader and includes far more restrictions than it may appear at first glance.

CJEU Ruling – Data transfer to the US becomes increasingly more difficult

The validity of the Privacy Shield Framework was first brought into question in 2015 by the Austrian activist and lawyer Maximillian Schrems (who won the petition to bring down the Safe Harbor mechanism of personal data transfer to the US just a few years prior, now known as the Schrems I). Mr. Schrems claimed that the US-based companies cannot provide an adequate level of personal data protection due to the laws which enable the US National Security Agency (“NSA”) to access data of foreign persons, regardless of the guarantees provided in the Privacy Shield Framework. His petition was not solely directed at the Privacy Shield Framework, but it also questioned the validity of the Standard Contractual Clauses (“SCC’s”), another commonly used mechanism to secure the lawful transfer of personal data to non-EU countries.

CJEU ruled, after long deliberation, that the Privacy Shield Framework does not provide an adequate level of protection in accordance with General Data Protection Regulation (EU) 2016/679 (“GDPR”). Consequentially, the Privacy Shield Framework may not be used as a basis for the transfer of personal data to the US with immediate effect. This is a significant finding as there will be no “grace period” for compliance with the court’s decision, as was confirmed by Data Protection Authorities across the EU in publicly available statements.

SCC’s, however, remain valid and may be used as a lawful basis for personal data transfers on the condition that the data exporter examines and confirms that the data importer can provide adequate levels of protection with regard to the laws of the importing country. Such a standard places an exorbitant burden on the companies from the EU who perform or wish to perform any kind of personal data transfer to any third country, not just the US in particular. Many countries practice wide-scale surveillance of both foreigners and their citizens alike, with the Russian Federation and the Peoples Republic of China first coming to mind. These countries have laws that contain mandatory provisions which cannot be derogated by SCC’s, which are contractual in nature. The European Data Protection Board is still considering what mechanisms will be put in place to ensure adequate levels of protection in these cases.

There is one problem in particular concerning the transfer of personal data to the US when it comes to the use of SCC’s, that went almost unnoticed. Almost all of the data transferred from the EU to the US is transferred via a network of undersea cables – the backbone of the global internet. The US Foreign Intelligence Surveillance Act provides the NSA with a broad range of authorities when it comes to accessing data of foreign persons located abroad. This allows the NSA to gain access to the aforementioned network of undersea cables upon entry into the US. Having mentioned in mind, it will be extremely difficult to assess whether the appropriate safeguards will be provided in the described set of circumstances.

Alternative ways of lawful transfer such as Binding Corporate Rules should be considered, but it remains to be seen how will this decision of the CJEU effect such forms of personal data transfer. Data Protection Authorities across the EU have yet to issue substantive statements on the matter.

Notwithstanding the abovementioned, necessary data transfers are still permitted under the rules of GDPR. For example, necessary data for the performance of the contract, or transfers conducted on the basis of explicit consent of the data subject are still permissible. CJEU’s decision did not prohibit all data transfers abroad, but it did introduce serious restrictions to the free flow of data in the interest of preserving the privacy rights of EU citizens.

Effects on the Republic of Serbia 

Serbian Personal Data Protection Act is modeled after GDPR and contains a provision that explicitly prescribes that the adequate level of personal data protection is provided in jurisdictions as determined by the adequacy decision of the EU.
Numerous Serbian companies, especially those in the IT sector are transferring data to the United States, whether to their affiliated companies or outsourcing companies. Some of these companies have thus far relied upon the Privacy Shield Framework and will now be forced to either reevaluate the risks and introduce additional security measures where need be (still unclear which measures would provide adequate levels of protection) or revert to transferring of personal data to 8 jurisdictions which are still considered to provide adequate levels of protection such as New Zealand, Israel, Japan, Canada, etc.
It would be reasonable to assume that the competent authorities in Serbia will monitor developments in the EU and act accordingly.
Be that as it may, the European Data Protection Board and the US Secretary of Commerce are already working on a new framework agreement that would improve upon security measures that rendered the Privacy Shield Framework inadequate and provide a new basis for a free flow of data across the Atlantic. Until the adoption of “Privacy Shield 2.0”, companies are left with no choice but to reassess their options, amend the existing data protection agreements where possible and proceed with cross border data transfers only after they have determined that the adequate levels of protection are provided.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

By Katarina Zivkovic, Senior Associate, and Dragan Martin, Associate, Samardzic, Oreski & Grbovic