Ever since GDPR became effective on 25th May 2018, there has been a debate as to whether the earlier arrangement between US and EU for “Adequacy” status based on the 1995 directives would be considered as “adequate” under GDPR for cross border transfer of EU personal data.
Under the Privacy Shield, self certifications were registered with the US Department of Commerce based on a Privacy Shield Framework and the Department of Commerce, US entered into valid legal agreement with EU.
On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law . It provided the legal basis for transfer of personal data from EU to participating US organizations. This was a replacement of the Safe harbor framework which had been earlier turned down by the EU Courts as inadequate.
According to the Privacy Shield a set of information as listed here were required to be submitted by the US entity to the department as a “Commitment”. A certain fee was charged for the self certification (Eg: $975 for a company with turnover of $25million). The organizations were required to place a grievance redressal mechanism (eg Arbitration) free of charge to the EU citizens who would have a recourse to raise their Privacy related complaints for redressal.
The Privacy Shield requirements addressed the concerns of Privacy reasonably.
However the decision of the EU Court of Justice on 16th July 2020, following a complaint that had been raised in Austria by an activist Max Schrems has now rejected the arrangement from adequacy considerations. But, the Standard Contract Clauses used for cross border transfer were held valid.
Hence US companies who were hitherto relying on the Privacy Shield certifications will have to go for re-writing the contracts with the EU companies incorporating the acceptable Standard Contract Clauses which may bring them to the jurisdiction of the EU Courts directly without the protection of the US judicial system.
However, the obligation to ensure that the SCC s are proper, lies more on the EU entities unless the US entities by virtue of holding business establishments in EU submit themselves to the jurisdiction of GDPR.
The principal reason why the Court held that the Privacy Shield certification is unacceptable to EU is that the “Ombudsperson” under Privacy Shield may not be having the powers to prevent the US intelligence agencies to deny protection to the EU citizens in a manner EU desires. The Court opined that since the Ombudsperson reports directly to the Secretary of State, he cannot be considered “Independent”.
It is the prerogative of the EU Court to provide whatever guideline it wants to the GDPR authorities including directions to accept or reject the agreement it entered into with the US in the interest of the Trade and Commerce.
But if the EU Court considers that the US Secretary of State being the authority to whom the Ombudsperson of Privacy Shield reports is unacceptable from the Privacy protection of a EU citizen, it is to be considered as rejection of the authority of the US Government to take such steps as may be required at the level of the Secretary of State of US to protect their country.
In the current political scenario where it appears that EU is slowly being consumed by Islamic fundamentals and there are demands in some of the EU states about introduction of Sharia law, it is necessary for the global community to ensure their own protection. This includes an ability to retain their sovereign rights to monitor the data movements in the interest of national security. Hence it is to be considered as the sovereign right of US to have a due process of law that provides the Secretary of State some control on the Ombudsperson and cannot provide total independence as EU desires.
This principle that the EU Court seems to propagate through this judgement can tomorrow also provide it a reason to reject the authority of the DPA in India as well as in many other countries.
Hence the decision of the EU Court should be considered as an affront to the global community challenging the authorities of the respective Governments to set up their own apex data protection authorities in good faith with necessary independence but always subject to “National Security Considerations”.
This argument will bring us back to the debate of “Privacy is a right which is not absolute” and has to be considered as subject to “Reasonable Restrictions”.
Though many activists consider “Reasonable” as “Total” and donot agree with any restrictions, it is the fundamental right of any citizen of a free country like US or UK or India to consider that it is the prime duty of the Government to protect its citizens from terrorism, international crime etc.
If this requires surveillance of a certain order subject to a reasonable “due process”, it is unacceptable for a foreign Court to interfere.
The decision of the EU Court will now place US on par with the India and hence from business perspective, Indian companies now may feel that they can compete for data processing contracts directly with US since both are subject to SCC obligations. To this extent, the development can be considered as advantageous to India.
However, this is not a time to gloat over the new business opportunity that has come up but to recognize and oppose the re-emergence of the age old colonial mindset in Europe with the added danger that the current rulers of EU countries may function more under the influence of Islamic fundamentals posing a greater political risk to the international business.
It would be interesting to see how UK reacts to this development and how US counters. The best option could be not to make a fuss about the decision, ignore it and let the businesses settle their commercial interests through the SCCs. It could be inconvenient in the short time but would be acceptable in the long run as a business process.
Naavi
Reference
EUCJ Judgement of 16th July 2020
EDPB clarifications dated 23rd July 2020
EU controller to non-EU or EEA controller
EU controller to non-EU or EEA processor
ICO UK Templates