The shock wave created by the cancellation of the Privacy Shield this summer by the European Court of Justice (ECJ) is still spreading. The latest recommendations of the European CNILs on the subject are quite enlightening (L’Usine Digitale).
However, I am afraid that many industrialists have not fully grasped the consequences in the long or less long term, thinking that they are protected by the possible standard clauses for those who had this type of process in place. In fact, even if these existing clauses were not directly challenged by the invalidation, if we take up the CJEU’s ruling, we see that there is a real legal risk.
Privacy Shield Reminder
The Privacy Shield was an agreement between the US and Europe that allowed the exchange of data as long as the actors respected a certain number of provisions. It was considered that European users thus had equivalent protection of their data whether they were in the US or on European territory. This agreement had already replaced a previous agreement which had been invalidated. The « Safe Harbor », itself considered to be non-compliant with our RGDP (General Rules for Private Data). But this cancellation is also due to the perseverance of an individual, Mr. Schrems, an Austrian national, a Facebook user, who did not agree to have his data transferred from Facebook Ireland to the company’s US servers.
Once again, the CJEU finds that internal limitations in American law do not sufficiently guarantee the protection of the personal data of European citizens, and it therefore invalidates the previous decision which had allowed the implementation of the “Privacy Shield”.
This decision is not surprising, given the annulment of the Safe Harbor agreement in 2015 by the same CJEU. Mr. Schrems’ initial complaint against Facebook was already the origin of this. The 30-page court order gives the different reasons for this (LeMonde).
What recommendations from the European CNILS?
The European CNILS have published a set of recommendations to manage Privacy Shield invalidation. There is not a single possible approach, but rather a set of actions to be implemented, always keeping in mind the minimization of data exchange according to the purposes.
It is advisable to set up a body in order to have a global vision of the data exchanged internationally (L’Usine Digitale)…
It is necessary to evaluate the provisions for obtaining equivalent protection, but it may not be possible to do so, in which case the transfer of data will be impossible.
Among the possible techniques, data encryption is one approach, but one can also ensure that the data is dispatched to different actors, none of whom can reconstruct the overall information. This option, risks being a real headache…
Which consequences ?
The extent of the consequences of this invalidation remain difficult to assess, and it seems that companies are still struggling to put in place an action plan to mitigate its effects.
The companies most at risk are multinationals in terms of their structure and organization. But they are not the only ones…
Indeed, the systematic use of SaaS (Software As A Service) tools for many business solutions, such as payroll, puts companies at risk. How can you guarantee that data is not readable by American personnel when the chosen solution is American?
These issues are just as lively for HR performance assessment solutions, for the same reasons as the previous one in the case of a European subordinate reporting to an American manager. Indeed, how can an American not authorize access to private data? These issues were already sensitive under the old Data Protection and Freedom of Information laws, and many companies were not compliant, either through ignorance or casualness (not seen not taken), but at the time the fines were ridiculous, which is no longer the case with the RGPD (General Data Protection Regulations) …
There is another area that does not necessarily take the full measure of the impacts of this disability. This is the entire health industry, including the pharmaceutical industry.
By their very nature, these manufacturers handle a lot of personal data, in fact all the data of patients participating in clinical research necessary for the discovery and validation of new therapeutic solutions… But where 15-20 years ago all this data was stored on data centers belonging to these labs, Since then, all of them have been using Cloud solutions (electronic Trial Master File – eTMF), Regulatory Information Management System (RIMS), electronic Case Report Form (eCRF) solutions, DataWareHouse Clinical or Pharmacovigilance systems. These cloud solutions are often American, or hosted by American cloud players such as Google, Amazon, Microsoft for the “majors”.
You can guess what a headache it becomes, when it comes to ensuring that European data is protected… How to manage risk with the multitude of stakeholders: software publishers, cloud providers, data processors, etc…
These issues also affect the public sector, as shown by the recent case on the Health Data Hub (here), but also by other decisions such as the use of the Amazon cloud for the State-guaranteed loan by the BPI (here)…
Even if most economic actors have not necessarily taken the full measure of the consequences of the arrival of the RGPD which came into force in May 2018, the invalidation of the Privacy Shield this summer is the direct consequence, affirming the non-equivalence on the protection of our citizens between American and European law.
If this might seem anecdotal, it has economic and I would even say “geopolitical” impacts. The nature of the sanctions proposed by the RGPD can go up to 4% of the international turnover of the company in question, which becomes a retaliatory tool against the American giants, as can be the case with their extraterritorial laws.