It has been a pleasant surprise how many colleagues have expressed interest in contributing to the information we publish here. Hopefully, that continues and we will continue to have a deep bench of Guest Posts. One of the many fruits of the good fortune of working brilliant people.
So, without further ado, I give you my colleagues
and @schera.sampson@bsl.group:THE ISSUE OF DATA TRANSFER BETWEEN EU-US.
On 10 July 2023, the European Commission adopted its adequacy decision on data transfer protection under the EU-US Data Privacy Framework (DPF), creating another alternative to the use of Standard Contractual Clauses (SCC) to allow US companies to transfer data from the EU.
The decision concludes that the United States ensures an adequate level of protection of personal data– comparable to that of the European Union through the General Data Protection Regulation (GDPR) – under the new “Data Privacy Framework” (DPF) and the associated rule changes implemented surrounding the framework. However, personal data can flow freely from the EU to US companies participating in the DPF, avoiding the use of SCCs, only if certain stringent and costly compliance measures are put in place.
In this article we will explore the reasons that led to the creation of the DPF and we will analyze which, between DPF and SCC, is a better compliance strategy for tech startups to reach GDPR compliance (focusing on those operating in the emerging tech space).
WHAT CAME BEFORE: SCHREMS I & II.
This new adequacy decision comes after years of court litigation regarding the difference in data privacy standards between the EU and the US, with the former having more stringent measures than the latter. The new DPF tackles this issue, by providing a new framework that should ensure the same level of protection guaranteed by the GDPR in Europe, as required by Article 44: “GDPR prohibits the transfer of personal data beyond the EU, unless the recipient country can prove it provides adequate data protection.”
The leading case on the topic is Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems - also known as “Schrems I” - which already has two chapters to its saga, and the chances of seeing a third segment is very high.
Indeed, the creation of a legal framework to provide an adequate level of data protection is not a new scenario for the US government. The first two installments of the cases of the Schrems saga (Schrems I and II) tackled previous adequacy decisions. In Schrems I, the Court of Justice of the EU ruled the first established framework, named “Safe Harbour” as invalid: Mr. Schrems, an Austrian lawyer, had brought to the attention of the Court that his personal data could be accessed by U.S. intelligence agencies, as then revealed by former CIA whistleblower Edward Snowden.
Following this judgment, the US government negotiated a new and updated framework, the “EU-US Privacy Shield”, adopted through another adequacy decision but, nevertheless, challenged in Schrems II.
Once again, the Court of Justice of the EU found the framework provided by the Privacy Shield to be invalid.
It is true that new important measures of compliance, such as the Standard Contractual Clauses and a supervisory mechanism were implemented, the Shield framework still allowed the US intelligence agencies unnecessary and disproportionate access to data collection with no real redress. In addition to that, the supervision mechanism was subject to criticism by the Court itself as it did not provide recourse with actionable rights like data cancellation or damages compensation - contrary to what Article 82 of the GDPR grants in the EU.
Meanwhile - even if the concept underwent material amendments after the Court’s decision - Standard Contractual Clauses remain the primary way of providing equal protection of data, allowing a company to be compliant with the standards imposed by the EU.
Reportedly, only half of the companies that adhered to the Shield framework (about 2,500) have taken steps to utilize the new DPF, reflecting the lack of confidence in its resiliency. The general feeling, as expressed by some companies’ privacy counsels, is that Standard Contractual Clauses remain the safest way to provide adequate protection. Nevertheless, some others argue in favor of DPF adoption, complaining about the length of these clauses, often longer than the contract itself.
IS DPF COMPLIANCE WORTH THE INVESTMENT?
Following Executive Order 14086 by President Biden, the new DPF came to life with improved compliance measures, based on self-certification, aiming to ensure an adequate level of protection that will allow data to flow to the States. The steps necessary to self-certify the company’s compliance with the DPF are complicated, require extensive disclosure and, important for most tech startups, have fairly high associated fees. The priciest fee being the obligation of the company to pay all expenses of dispute resolution for any individual bringing a complaint.
The question then becomes - Is self-certification with DPF worth the investment?
The answer varies based on the company involved but, if we are talking about emerging tech startups, the answer is no.
There are multiple reasons that emerging tech startups should not invest in self-certification for the DPF. First, the legal adequacy of this new framework will - as already announced by Mr. Schrems - be challenged, bringing us to a Schrems III. Even if the compliance measures have been updated, the core issues raised by the Court of Justice of the EU remain unsolved: the outreach of the US intelligence on the data is allowed when “essential to informed decision-making in the areas of national security, national defense, and foreign relations”. This could potentially lead to an intrusion of the US Government in EU individuals’ data that is unpredictable as well as disproportionate, as already invalidated by the Court of Justice of the EU in Schrems II.
Moreover, for emerging tech startups who intend to serve customers within the EU, impenetrable GDPR compliance is not merely a legal obligation but a strategic necessity, especially for those operating in the blockchain industry. In a risk-based compliance approach, such as the one for blockchain companies, mitigation is a key aspect. And, as it is technically impossible to exclude the fruition of a blockchain-based product to those provided with internet connectivity, the access to a European customer’s data by a US company can lead to heavy sanctions in absence of compliance with GDPR.
A reminder of that is the astonishing fine of $1.3 Billion that was levied on Facebook (now Meta) for its GDPR violations.
To avoid incurring in the same sanctions, Standard Contractual Clauses remain the safest and cheapest option to safely comply with GDPR standards. Indeed, SCCs have been adapted and consistently used since their first appearance in the Shield Framework, allowing lawful data flow.
And there is more, immediate compliance with the GDPR through SCCs has another advantage: it makes startups ready for scaling into the EU market right from the start. This quality also makes the company more appealing to institutional investors, who see GDPR compliance as a base requirement for international expansion of the company.
Therefore, SCCs provide the best option to US based emerging tech startups for GDPR compliance.
For tech companies, creating a full compliance program is necessary for sustainable growth and business development, and taking a chance on a costly framework that may not stand legal scrutiny is not worth the added risk.
What kind of lawyer would I be without a disclaimer?
Everything I post here constitutes my own thoughts, should only be used for informational purposes, and does not constitute legal advice or establish a client-attorney relationship (though I am happy to discuss if there is something I can help you with). I can be reached via email at dlopezkurtz@crokefairchild.com or david@bsl.group on telegram @davidlopezkurtz on twitter @lopezkurtz and on LinkedIn here.