A large portion of the backlash from the Cambridge Analytica (CA) saga, at least in the Privacy world, has been the focus on US privacy governance, or as the EU pointed out, lack of it. This has been a thorn in the side of the EU for some time, with notable events in the transatlantic relationship being: the moving away from traditional Model Contract Clauses (MCCs); the creation of the Safe Harbor Agreement; (even more notable) the overturning of Safe Harbor due to the Max Schrems v Facebook case; the creation of Privacy Shield; and potential overturn of MCCs through the Irish Courts (again, due to Facebook). For comparison’s sake other countries outside the EEA have not had such a hard time of it, and have the choice or Binding Corporate Rules (if eligible), MCCs, or getting an adequacy decision as a country (such as Israel, New Zealand, Switzerland, Uruguay, etc.).
Schrems, the privacy campaigner who had the Safe Harbor Agreement overturned, and now has his sights set on MCCs, seems to be feeling vindicated since Facebook were implicated in CA’s misuse of data. Schrems is reportedly ready to file more lawsuits to try and force stricter privacy laws for the US, which will no doubt be taken slightly more to heart by Facebook this time round (especially now that the hope of a class action lawsuit costing a serious amount of money has been abated). Other major players are also increasingly vocally concerned, such as Sophie in’t Veld a member of the EU Parliament, and Vera Jourova the EU Justice Commissioner. Both are calling this a wake-up call for Europe to ensure that their citizens data is protected in the US, beyond mere lip service.
Let’s look at the journey the US (and Facebook) has taken with EU privacy laws, their validity today, and the future of the Privacy Shield arrangement.
Binding Corporate Rules BCRs are for multinational corporations, international organizations, and groups of companies who pass or otherwise process EEA citizen or individuals who live in the EEA’s data outside of the EEA. Binding corporate rules are internal rules for data transfers an organisation, like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection and must be signed off by a data protection authority, such as the Information Commissioner’s Office (ICO) or other equivalents within the EEA.
These have been around since the Article 29 Working Party birthed them in 2003, but so far according to the European Commission’s website only 88 have been set up and signed off. This is an indication of how popular these are considering the sheer number of companies who would be eligible for it as they share data across EEA borders within their organisations and subsidiaries. The low take up could be due to the process being difficult, the standard of sign off being high, or low awareness. Considering that many of the eligible organisations have very knowledgeable lawyers and information management professionals I would posit it is one of the first two. Facebook do not have a BCR, but this would validate the data transfers within the Group and solve a number of their issues. This is unlikely going to be a path Facebook follow as it would need to be signed off by either the ICO or by the Data Protection Commissioner in Ireland. The process would mean their internal practices would be under significant scrutiny, at the end of which they may not meet the standard, and to boot the outputs of this scrutiny up for grabs under the Freedom of Information Act (exemptions non-withstanding). If Facebook do go for this option, I will eat my hat. However for other US multinational companies who are eligible for it, it is an option worth exploring as once achieved it’s smooth sailing as far as internal international data processing goes.
Model Contract Clauses MCCs are for any organisation outside of the EEA wanting to process European data for a company within the EEA. They’re usually an annex to a Data Processing Agreement, and are unfortunately an afterthought and blocker to procurement processes which includes any international organisation (‘if only they’d gotten Privacy involved right at the start!’ with likely be etched onto my tombstone as most said phrase). If initiated at the beginning of a procurement process, and privacy and security provisions are included in the tendering process MCCs are relatively pain-free. They only become painful when a non-compliant organisation wins a tender as privacy and security were not considered beforehand.
Max Schrems has semi-recently brought the case that MCCs just won’t cut it when it comes to transferring EEA data to the US to the Irish High Court, who have decided that they weren’t really the ones to decide on it (that honour will be the Court of Justice of the European Union). It is highly likely that the CJEU will invalidate MCCs for transatlantic transfers as the Irish High Court found that the concerns were ‘well founded’ due to the MCCs not offering any remedial action for rights abuses through the US courts. This is especially important considering the indiscriminate mass surveillance operations underway by the US government. Any MCCs with the US which are currently active are still valid, however I wouldn’t advise signing any more as a basis of a contract as a US company as they could be (and are likely to be) invalidated quite soon. As Facebook are relying on MCCs it is likely to add fuel to the fire for both MCCs as a concept and Facebook’s position in the CA debacle as it has been known that the clauses are on shaky ground for over a year.
The elephant in the room when discussing the validity of any agreement or contract with the US is the ‘massive and indiscriminate’ surveillance undertaken by the US government which has been the reason in the past and will likely be the reason in the future for the invalidation of transfer agreements. The 29 Working Party has repeatedly stated that such surveillance is not compatible with EU law and that where state authorities access to information goes beyond what is necessary in a democratic society, such countries and territories will not be deemed safe places for transfers or processing of EU data.
Overall the blood is in the water for MCCs (but not their more difficult cousins BCRs!). Both the US and more specifically Facebook must utilise stricter privacy controls and governance if they want to be competitive in the more privacy aware EU market. US companies, especially tech companies, are losing out on contracts due to this issue, and will be losing out on more as GDPR comes in and EU companies review their data processor agreement contracts and 3rd party supplier lists.
The next post will focus on the subject of (the late) Safe Harbor Agreement, Privacy Shield, and the future of transatlantic data processing.