International data transfers are a major focus in the realm of data privacy. Over the past twenty years, authorities have attempted to create guidelines to govern these transfers. In the European Union (EU), we've seen a series of new laws and the subsequent rejection of those laws, resulting in continually changing rules.
Companies often find themselves in situations where they can't be certain if their data privacy practices comply with the current laws, making it a challenging landscape to navigate.
Table of Contents
- What is an international data transfer?
- What legal mechanisms are used to perform international data transfers?
- What is NOYB?
- The Data Protection Directive
- The Safe Harbor Framework
- US Surveillance Activities Exposed
- The “Schrems I” Case
- The Privacy Shield Framework
- The “Schrems II” Case
- Updated SCCs and Supplementary Measures
- The Meta decision
- Transatlantic Data Privacy Framework
- What happens next?
What is an international data transfer?
An international data transfer refers to the process of moving or transmitting personal data from one country or jurisdiction to another. International data transfers can pose significant challenges and risks, particularly in terms of data protection and privacy. Different countries have differing laws and regulations governing the handling and transfer of personal data.
Within the context of the EU, international data transfers refer to data that is transferred between the European Economic Area (EEA) and non-EEA destinations. When the destination country is the United States (US), the transfer is commonly referred to as a transatlantic data transfer. In this article, we will use those terms interchangeably.
What legal mechanisms are used to perform international data transfers?
An adequacy decision is the most important tool available to justify sending personal data outside of the EEA. As the executive arm of the EU, the European Commission (EC) is responsible for proposing and adopting adequacy decisions, which formally confirm that the EC believes that the level of data protection in a non-EEA country or an international organisation is essentially equivalent to the level of protection in the EEA.
If the data importer’s country (i.e. the country of the entity receiving the data) has not been granted an adequacy decision, then the data exporter (i.e. the entity sending the data) must use alternate appropriate safeguards to ensure compliance.
Standard Contractual Clauses (SCCs) provide such an alternate mechanism. Formally introduced by the EU in 2001, SCCs are a set of legal clauses that data exporters can include in their contracts with data importers. When there's no adequacy decision in place, SCCs are the most widely used legal method to legitimise international data transfers. It's essential to understand that SCCs are agreements between a data exporter and a data importer, and they don't have the power to affect the privacy laws of the data importer's country.
In 2021, the SCCs underwent revisions to bring them in line with the requirements of the General Data Protection Regulation (GDPR) and to address certain shortcomings that had emerged over the years. Simultaneously, the EU introduced a requirement for companies to conduct a Transfer Impact Assessment (TIA), which is a methodical evaluation process aimed at identifying and mitigating privacy and data protection risks associated with data transfers. The results of the TIA determine whether to proceed with the transfer or not.
For completeness, it's worth noting Binding Corporate Rules (BCRs) as another mechanism for ensuring adequate safeguards in international data transfers. BCRs enable multinational corporations to transfer personal data from the EEA to their overseas affiliates. These rules are created by the company and require approval from the European Data Protection Board (EDPB).
In summary, an adequacy decision offers companies a straightforward legal framework for conducting international data transfers. In the absence of such a decision, the burden of assessing the legitimacy of these transfers falls on the company itself.
In most cases, companies resort to implementing SCCs and conducting TIAs, which are self-assessment tools and hold no influence over foreign data privacy regulations.
What is NOYB?
Max Schrems is an Austrian privacy activist and lawyer known for his advocacy and legal actions related to data privacy and online privacy rights, particularly within the EU.
In the years following Edward Snowden’s 2013 revelations about the US government’s surveillance practices, Schrems launched a series of legal challenges against major technology companies and government surveillance practices. His actions have led to changes in EU privacy laws.
In 2017, he founded a non-profit privacy advocacy organisation called "None of Your Business" (NYOB). The organisation's mission is to ensure that companies and organisations respect individuals' privacy rights and comply with data protection laws.
The Data Protection Directive
In 1995, the EC adopted the Data Protection Directive (Directive 95/46/EC), which aimed to harmonise data protection laws across the EU and simplify the regulatory landscape for cross-border business operations. Before the directive, each EU member state had its own data protection regulations, leading to a fragmented legal landscape that made cross-border business operations and data transfers challenging.
The directive established the groundwork for addressing data protection challenges in the emerging digital age. It recognised the importance of adapting data protection principles to evolving technologies and the internet.
Important in our discussion, the directive facilitated international data transfers by introducing mechanisms for non-EEA countries to demonstrate an “adequate level of data protection”. The concept of “standard contractual clauses” was also introduced.
At this time, US privacy laws were not considered to offer a data protection standard equivalent to that provided within the EU. In modern terminology, this means the US was not granted an adequacy decision.
The Safe Harbor Framework
The Safe Harbor Framework, which was adopted in 2000, was an agreement between the US and the EU that aimed to facilitate the transfer of personal data from the EU to US-based organisations.
The primary goal of the Safe Harbor Framework was to bridge the gap between the different data protection standards and regulations in the EU and the US, making it easier for EU-based companies to transfer personal data to US entities.
US companies that wanted to participate in the Safe Harbor program were required to self-certify their adherence to the Safe Harbor privacy principles with the US Department of Commerce. This involved providing information about the company's data protection practices and publicly declaring its commitment to complying with the Safe Harbor framework.
By ratifying this agreement, the EC signalled its confidence in US data protection laws, acknowledging them as providing a level of protection equivalent to that within the EU.
US Surveillance Activities Exposed
In 2013, renowned whistleblower Edward Snowden exposed covert surveillance operations conducted by the U.S. National Security Agency (NSA). Snowden's disclosures revealed the existence of programs referred to as PRISM and UPSTREAM, which were carried out under the authority of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
FISA Section 702 authorises the US government, particularly the NSA, to collect intelligence information on non-US persons located outside the US, with the compulsory cooperation of electronic communications service providers.
PRISM is a specific program under Section 702 that allows the NSA to access data held by major technology companies, including email and other online communications, in its efforts to gather foreign intelligence information.
UPSTREAM is a program authorised under Section 702 that allows the NSA to collect electronic communications that are "upstream" from internet cables, specifically from the physical infrastructure of telecommunications networks. This program focuses on capturing internet traffic that passes through US network infrastructure. When communications contain specified selectors or meet certain targeting criteria, they are subject to collection for further analysis by the NSA.
Following the release of this information, there was a massive upheaval in the media, but most of the attention was focused on US citizens’ frustration that their own government was spying on them. The US government explained that any collection of US citizen data under Section 702 data is an accidental by-product of the surveillance programs.
While subsequent investigations proved this to be false, we must keep in mind that the main intent of FISA is the surveillance of non-US persons. This is of course extremely relevant for EU citizens. These programs collect data, and given that the collection parameters are classified, the extent of the data collection is unknown.
The “Schrems I” Case
The Schrems I case, formally known as “Schrems v. Data Protection Commissioner” (C-362/14), was a landmark сase brought by Max Schrems against the Irish Data Protection Commissioner (DPC) for its refusal to investigate a complaint asking the DPC to suspend data transfers from Facebook Ireland to Facebook Inc.
The central issue in the case was the legality of the Safe Harbor Framework. Schrems argued that the revelations of mass surveillance and data collection by US intelligence agencies, as disclosed by Edward Snowden, made it impossible for the Safe Harbor Framework to guarantee the privacy and data protection rights of EU citizens.
The High Court of Ireland referred the case to the CJEU, which issued a decision on October 6, 2015, declaring the Safe Harbor Framework invalid.
The court ruled that the US did not provide an adequate level of data protection for EU citizens.
The decision, colloquially known as the Schrems I decision, confirmed that the CJEU had concerns about US government surveillance practices.
With the invalidation of Safe Harbor, the US no longer held the status of providing adequate data privacy protection, leaving SCCs as the sole legal recourse for justifying international data transfers.
The Privacy Shield Framework
On July 12, 2016, just ten months after the annulment of the Safe Harbor Framework, the EU and the US adopted the EU-US Privacy Shield Framework. It aimed to rectify the deficiencies and concerns raised by the Schrems I decision.
Notable changes included the establishment of an oversight and enforcement mechanism run by the US Department of Commerce and the Federal Trade Commission (FTC), the addition of recourse mechanisms for individuals who believed their privacy rights had been violated, and the provision of an annual review cycle to improve the framework.
The Privacy Shield Framework also included commitments from US authorities regarding the limitations and safeguards surrounding access to personal data for national security or law enforcement purposes. However, no fundamental changes were made to US surveillance laws.
With the acceptance of the Privacy Shield Framework, the EU once again communicated to the world that the level of protection provided by US privacy laws was considered to be adequate according to European standards. EU companies were free to perform international data transfers with US companies, as long as the US companies self-certified to the Privacy Shield framework.
The “Schrems II” Case
In the wake of the Privacy Shield decision, Max Schrems filed an updated complaint against the Irish DPC in a case known as "Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems" (C-311/18). This case is commonly referred to as the Schrems II case.
The High Court of Ireland referred the case to the CJEU, asking it to consider the legality of Privacy Shield and the use of SCCs. It’s worth noting that the case was referred to the CJEU in April of 2018, just one month before GDPR came into effect.
The CJEU issued its ruling (known as the Schrems II decision), on July 16, 2020, invalidating the Privacy Shield Framework on the grounds that the US does not provide an adequate level of data protection due to the far-reaching possibilities of bulk and disproportionate data surveillance that exist under US national security laws.
The court upheld that SCCs could, in practice, ensure compliance with a level of protection in accordance with EU law. However, it highlighted that companies relying on SCCs were obligated to verify, on a case-by-case basis, whether the destination country ensures adequate protection under EU law and, if necessary, implement “additional safeguards” (for which it did not offer a clear definition).
As a result of this ruling, the US lost its status of providing adequate protection, leaving companies with the SCC mechanism as their sole avenue for legitimising international data transfers. However, there were no clear implementation guidelines on how SCCs could effectively address the surveillance issue.
Updated SCCs and Supplementary Measures
Acknowledging the disparities between the theoretical framework and the practical application of SCCs after the Schrems II decision, the EC and the EDPB began working on making clearer guidelines for their use.
On June 4, 2021, a new set of SCCs was released, and on June 18, 2021, the EDPB finalised its recommendations regarding supplementary measures for transfer tools. These recommendations included a six-step roadmap aimed at aiding in the evaluation of third countries and the identification and implementation of suitable supplementary measures:
- Understand the nature of the data
- Identify transfer tools
- Assess Third Country Laws
- Adopt supplementary measures
- Take procedural steps
- Re-evaluate at appropriate intervals
In the third step of the roadmap, the data exporter is required to conduct a TIA to evaluate the potential risks associated with government requests for data access in the destination country, taking into account its legal framework.
It is essential to recognise that, despite the comprehensive risk analysis process outlined in the new guidelines, companies cannot change the laws of the destination country. Consequently, an inherent risk that foreign governments can gain access to personal data persists.
The Meta decision
The Schrems cases against Facebook (now called Meta) were private cases brought by Max Schrems against a corporation. These cases acted as catalysts for the CJEU to make EU legislative decisions.
Although these decisions are known as “Schrems decisions”, they did not provide a ruling in the Schrems cases, which were brought against Meta as a corporation.
However, on May 22, 2023, under the advisement of the EDPB, the Irish DPC reached a verdict in the Schrems cases, imposing a €1.2 billion fine on Meta and ordering the company to stop transferring data collected from users in Europe to the United States.
The DPC decision highlighted that Meta's use of SCCs for data transfers did not provide adequate protection for European users' data. The DPC conveyed that measures taken by Meta, such as encryption and pseudonymisation, were not enough to prevent US intelligence agencies from accessing the data. Meta's data protection impact assessments were inadequate and did not fully consider the risks involved in data transfers to the US.
The organisational, technical and legal measures that Meta had implemented were extensive (e.g., policies, encryption of data in transit and challenging government requests for access). Still, they were deemed to be insufficient: they could not prevent non-court supervised access to a user’s data without the user's knowledge, which the PRISM program of FISA Section 702 allows.
After the ruling, Meta released a statement claiming it was being singled out. While that could be the case, the DPC decision nevertheless has wide-reaching implications for all companies involved in EU-US data transfers. It emphasises the uncertainty around the use of SCCs and supplemental measures as a tool to guarantee personal data privacy in countries that have pervasive surveillance laws.
The reliability of SCCs as a means to legitimise EU-US data transfers was severely diminished by this ruling, posing a significant threat to the $7.1 trillion transatlantic economic relationship reliant on cross-border data flows.
Transatlantic Data Privacy Framework
On July 10, 2023, in a third attempt to provide the US with an adequacy decision, the EU and the US passed the EU-US Data Privacy Framework, also known as the Transatlantic Data Privacy Framework. The new framework was put in place to address the concerns raised about the Privacy Shield Framework in the Schrems II decision.
Much like Safe Harbor and Privacy Shield, the Transatlantic Data Privacy Framework employs a self-certification process that grants adequacy status to US companies that register and adhere to the framework's requirements.
The main driver for the adoption of the Transatlantic Data Privacy Framework was the execution of a Presidential Executive Order (EO) 14086, which introduced new legal safeguards concerning the use of EU citizens' personal data by US security agencies.
The relevant language in EO 14086 states that “signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorised”.
Nonetheless, FISA Section 702 remains intact and unchanged. EO 14086 promises that data collection will align with national security needs in a "proportionate" manner. However, the precise definition of "proportionate" as interpreted by the NSA remains undisclosed. The NSA does not disclose the specifics of its data collection and processing practices, making it impossible to scrutinise what it deems to be proportionate.
Schrems communicated that without changes to Section 702 of FISA, the Transatlantic Data Privacy Framework does not fundamentally change the real issue, which is US surveillance of EU citizens, and he has already initiated steps to challenge the validity of the new framework.
Explore Digital Samba`s features
GDPR compliance, E2EE, token-based security and more
What Happens Next?
Looking back at the past two decades, it's clear that the legal landscape for international data transfers can change rapidly. There's a fundamental conflict between extensive surveillance and protecting data privacy, and the future of the Transatlantic Data Privacy Framework is uncertain, especially considering that FISA Section 702 hasn't changed.
As it has done before, the CJEU may contest the EC's acceptance of the framework, arguing that economic interests should not take priority over the data privacy rights of EU citizens.
In the (perhaps not so) hypothetical scenario of an invalidated Transatlantic Data Privacy Framework, where would companies find themselves? The Meta case already makes it clear that SCCs, TIAs and supplemental measures cannot be relied upon with certainty.
Are European companies willing to risk that the adequacy decision will hold and continue doing business as usual? Or should they invest in implementing a solution that eliminates concerns about constantly evolving regulations? Cautious companies will make use of the temporary relief provided by the adequacy period to transition from US providers to European alternatives.
In the world of video conferencing, the explosive rise of SaaS services on a global scale has prompted countless businesses to rely on major US providers for their remote communication requirements. In light of our current understanding of potential privacy rights violations, the moment is ripe for a transformative shift.
Consider making the switch to a European provider like Digital Samba, where data protection and privacy can be prioritised without compromise. It's time to safeguard your communication needs with a provider that champions your privacy.
Share this
GDPR Compliance in Video Meetings: What You Need To Know
Unlocking Privacy Prowess: Why US Firms Should Pay Attention to GDPR
