Anyone sending data to the USA or working with a technology partner whose servers are located in the USA needs to review the impact of the latest judgement by the European Court of Justice (ECJ). As of July 16th, data flows between the EU and USA are no longer legal.
Why is this?
US surveillance laws don’t prevent US security organisations from surveilling companies’ data even if they were members of the Privacy Shield agreement. Neither is there is an effective way for EU citizens to file a complaint about this in the USA.
The damning conclusion of the ECJ ruling states;
“The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred. The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.”
With 5,300 US companies signed up to the Privacy Shield, the implications are huge. Some of the larger global companies are playing it down, with the likes of Microsoft, Oracle and Salesforce releasing “don’t worry, we’re covered, business as usual” statements but deeper reading shows they are not immune to the US Government approach where national security concerns trump everything else (pun intended!)
The upshot is, if you are sending data to the USA, that data and that of your customers can be accessed should US security services request it – this contravenes EU data laws.
What is the ICO saying?
Very little so far; “We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”
What does this mean for email marketing and CRM functions?
If your email service provider (ESP) or technology partner stores and processes your data in the US or in a US jurisdiction you are no longer complying with the EU DPA or the GDPR.
This means US companies are entirely reliant on Standard Contractual Clauses (SCCs) which are individual agreements between suppliers and their customers. These have, at least for now, been upheld in the ECJ ruling as SCCs were fine in general because an EU privacy regulator can still invalidate them on a case-by-case basis if a company is breaking the clauses’ terms or is unable to stick to them – although technically SCCs cannot prevent US security services from accessing data either.
Another issue is that SCCs were designed to be specific to a contract and will be a costly bureaucratic and legal exercise for many suppliers, as they will have to negotiate and sign thousands of new contracts. These costs will be especially onerous for startups and small businesses.
Mailchimp and other high-volume low-ticket ESPs would seem to have an insurmountable problem as creating SCCs for every customer is not economically possible. They, unsurprisingly, state on their site that it is business as usual but as SCCs come under increasing scrutiny, the ‘check box’ style SCC will likely be the first to go. Whilst Mailchimp note the separate Swiss-US Privacy Shield remains a valid data transfer mechanism, this would seem to apply to Swiss customers only.
In response to the ruling, the Business Software Alliance, which represents companies including Microsoft, Oracle and IBM said it would accelerate its work on modernising SCCs but many technology lawyers and data protection experts believe that SCCs offer only a temporary reprieve as well as being subject to increased scrutiny from now on.
Your supplier may be a large and well respected company, but that doesn’t mean they are exempt, it just means they are perhaps less likely to receive government requests for information and that advance warning will be given rather than security services storming data centres and ripping servers out of their cabinets. Worryingly though, companies are not allowed to tell their customers about information requests and any data subsequently handed over if they are told not to by the US security services.
Brexit, whose idea was that?!
The fall of the Privacy Shield also complicates an already difficult process for the UK in seeking a data adequacy decision from the EU as the UK wants unrestricted data transfers with both the EU and the US.
The former would ideally be achieved via an EU adequacy decision, whereby the European Commission formally recognises the UK as a safe haven for data transfers. The latter was going to be achieved by the UK and US essentially copying the EU-US Privacy Shield, which had been “rolled over” in UK law before Brexit. The ECJ ruling undermines both.
The EU will be concerned that if companies transfer EU citizens’ data to the UK, the UK might in turn transfer that data to the US so the UK may not be granted adequacy if it is seen as a backdoor to unprotected US data transfers. It may well be that the UK will have to decide what is more important: data flows with the EU or the US?
The progress of the Brexit negotiations have gained even more significance and it is likely the European Commission will carefully consider whether the UK’s national security system is compatible with that of the EU and will be more wary when conducting the UK adequacy assessments.
If the UK fails to attain an adequacy decision, even the use of SCCs to transfer data from the EU to the UK may not be enough to placate data exporters and regulators, resulting in disruption to EU-UK data flows in the long-term.
Another fine mess
Neither the ECJ nor data protection regulators can turn off the internet so despite the judgement, huge volumes of EU-US data transfers will continue, either via SCCs or unlawfully. This, of course, is a scenario no-one wants, nor is it sustainable.
The likelihood of the US Government changing their surveillance laws, especially under the current administration, or the UK revising theirs before Brexit negotiations are due to finalise at the end of the year is remote. The other option for US companies is to create and ringfence a technology infrastructure within the EU – and potentially the UK along with other countries. The cost of this will be prohibitive for all but the wealthiest organisations and commercially undesirable to many of those, neither is it a quick solution.
A swathe of US companies pulled out of the EU post-GDPR as compliance made their business models unviable – the death of the Privacy Shield could see a far greater number follow suit, particularly when SCCs are also determined to be inadequate.
Whichever way you look at it – despite the additional measures companies may have in place – you cannot circumvent the current US security laws which allow government enforcement agencies to request access to any information they want, whenever they want it.
What can you do?
Aside from SCCs there is currently one option; ensure your technology partner has UK-based servers and infrastructure so that none of your data leaves the UK in the first place. display block is one such company so talk to us and stay on the right side of the law!