European Court of Justice Issues

Ruling on Longstanding Privacy

Dispute

 

On July 16, 2020, the European Court of Justice issued a ruling on a longstanding privacy dispute around sending personal data from Europe to the United States. This case stemmed from a complaint to the Irish Data Protection Commissioner by an Austrian citizen against Facebook for improperly transferring his personal data under the applicable Standard Contractual Clauses (SCCs) and under the EU-U.S. Privacy Shield (Schrems II).   

There were two key elements of the ruling:

  1. The Court ruled that the EU-U.S. Privacy Shield is invalid. Prior to the ruling, the EU-U.S. Privacy Shield allowed European personal data (i.e., information connected to identifiable individuals, which could be interpreted as including raw and derived test scores and results) to be sent to and processed in the U.S. if the U.S. recipient was certified under the Privacy Shield. However, the Court ruled that, because of the extent of U.S. government national security/intelligence surveillance of EU data subjects and due to weaknesses in the Privacy Shield framework (i.e., the U.S. Ombudsman has no judicial powers to protect individual privacy rights), the Privacy Shield is invalid.
  2. The Court also ruled that Standard Contractual Clauses (SCCs), another way in which personal data can be transferred out of Europe to the U.S. or other countries, remain valid. Nevertheless, the Court noted that SCCs may require additional provisos or protections and may not be sufficient on their own in all use cases. Specifically, the Court discussed the need for processors (including in the U.S.) to make a reasonable evaluation as to whether any SCC under which it receives personal data from an EU controller in fact provides "adequate protection" for EU data subjects, and for the EU controller to make the same determination with respect to the data it transfers to the processor.

Because of the Court's ruling on the Privacy Shield, it seems that many SCCs may not be appropriate due to the U.S. surveillance programs that may not exclude non-U.S. citizens when their information is transferred or stored there. In light of the Court's analysis on the negative impact of U.S. laws, it seems that SCCs can still be used for data transfers, but it is up to data exporters and importers to check and verify data protection mechanisms of "essential equivalence" to the EU in the target country first - as well as report any issues. EU data protection regulators may then step in and suspend data transfers. Given the U.S. government's surveillance stance, the use of SCCs to transfer information may no longer be considered acceptable in many cases.

The decision impacts some 5,300 participants in the EU-U.S. Privacy Shield representing $7.1 trillion worth of transatlantic business. U.S. Commerce Department Secretary Wilbur Ross commented on the ruling stating, "We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences...   Data flows are essential not just to tech companies-but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies ... be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield."

Further advice from the U.S. Department of Commerce, as well as from the European Data Protection Board (EDPB), may be forthcoming to help clarify the situation. In the meantime, ATP members who have been relying on the Privacy Shield or SCCs for the processing of European test takers' personal data should take steps to evaluate and/or modify their situations by considering the following: 

  1.  Testing organizations in the United States that are certified under the EU-U.S. Privacy Shield and that process personal data from Europe must urgently review their legal basis for processing such data and associated international transfer mechanisms. Although the U.S. Department of Commerce has stated that certified entities may continue to use the Privacy Shield, any such organization, if it does not already have Standard Contractual Clauses in place, should consider adopting them. However, SCCs must be drafted carefully to avoid a determination that the language does not adequately protect EU data subjects. Although the wording of the bare SCC is pro forma (i.e., "standardized") provided by the European Commission, this may mean adding new safeguards to the SCC or finding another legal basis for handling EU test taker data.
    1.  Testing organizations outside the United States that send European personal data to suppliers, service providers, or partners in the United States should review the legal status for such transfers. If the only legal basis for such transfers is because the U.S. entity is certified under the EU-U.S. Privacy Shield, that basis is no longer valid - the organization will need to find another solution. In some cases, Standard Contractual Clauses will be a relatively simple measure to put into place. But the U.S. processor must consider the volume and types of data being transferred in order to evaluate the risk of U.S. government intelligence surveillance.
    2.  All organizations using SCCs (including testing organizations using such clauses for data     transfers from Europe to countries other than the U.S.) should be alert for further advice from regulators on the use of Standard Contractual Clauses. The Court stated that an SCC, "must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU."  Options for testing organizations include: 1) re-draft data transfers contracts that are able to abide by a new level of data review that may require technical safeguards, 2) make arrangements to avoid transferring data to the U.S. by using EU-based cloud-service providers so that EU data never leaves the EU.

For others, the option that GDPR allows a data transfer once annually may be applicable, and testing organizations may wish to look closely at the Article 49 derogations, which may provide possible solutions depending upon the facts and circumstances of the transfer. In other circumstances, if both the EU and the U.S. organizations are part of the same legal entity, then there is no third-party data transfer. In cases where a corporate group has group members within and outside the EU, adopting Binding Corporate Rules (BCRs) that govern how personal data of European citizens is lawfully shared and protected within the affiliated group may be an option, but it requires satisfaction of certain formalities and will take some time to achieve.

The Association of Test Publishers, through its International Privacy Subcommittee, is keeping a close watch on the situation. We expect to be able to provide further guidance when more clarity about the future is available.