Earlier this month the Court of Justice of the European Union (CJEU) struck down the ‘Privacy Shield’, a 2016 agreement between the US and EU which made it easier for businesses to legally send personal data from the EU to the US. Put simply, as things stand, businesses that have been depending on the Privacy Shield can no longer legally send the personal data of EU citizens to the United States.
The decision has potentially huge implications for ad tech companies that are headquartered in the US. As things stand, it seems many will be uncertain about whether they can legally carry out business in Europe at all with their current infrastructure.
The Privacy Shield was an agreement struck between the US and EU. Businesses could sign up to the Privacy Shield and its obligations to ensure that any personal data sent from the EU to the US would be protected.
But the CJEU, following a case filed by Austrian privacy activist Max Schrems, has ruled that the Privacy Shield is invalid. The court judged that US domestic law means the US government can access personal data sent across from the EU for national security purposes. And the data protections provided by the Privacy Shield aren’t enough to mitigate this risk, according to the CJEU.
If personal data is transferred outside of the EU, it must be protected by privacy laws which are “essentially equivalent” to the EU’s own. If this is not the case, specific protections must be put in place by both the company which sends the data and the company which receives it, to make sure the personal data is adequately protected.
What does this mean for the ad industry?
Firstly, it’s important to stress that not every business that transfers data from the EU to the US is signed up to the Privacy Shield, as there are other legal alternatives. But many companies within the digital advertising ecosystem are signed up. Google, Facebook, Amazon, Xandr, The Trade Desk, FreeWheel, Index Exchange and OpenX were among those who have been working under the Privacy Shield.
Now it seems those companies can no longer rely on the Privacy Shield as a legal basis for data transfers. And the European Data Protection Board, an EU body, stated its position bluntly in a FAQ posted last week. “Transfers on the basis of this legal framework are illegal,” it said.
In order to continue sending data from the EU to the US, these businesses need to turn to alternative means of protecting data.
One way to do this is through EU-endorsed. ‘Standard Contractual Clauses’ (Sccs). If both a data exporter in the EU and a data importer in the US agree to SCCs, they may then legally send data between borders. Some, including Facebook, already use SCCs to govern data transfers.
But the European Data Protection Board (EDPB) said any company using SCCs needs to also run their own assessment of US law, and the risks it poses to any data that company transfers. If they find that any data they transfer could be threatened by US law, they will need to add supplementary measures in order to protect data. But it’s not really clear what these supplementary measures would look like. The EDPB said it is “looking further into what these supplementary measures could consist of, and will provide more guidance”.
‘Binding Corporate Rules’ (BCRs) are another way to legally send data. Essentially a business can draw up a list of rules it agrees to adhere by, and have those rules checked by a European data protection authority (DPA). If the DPA approves those rules, they can then be used as a legal basis for sending data overseas. But as with SCCs, the European Data Protection Board says businesses must conduct their own assessment of US law and the risk it poses in relation to the data they transfer. And again, if privacy is at risk, they must add ‘supplementary measures’ to add further protection.
Uncertainty over enforcement
At this point it’s still difficult to assess the impact of the CJEU’s ruling.
Partly, it depends on each individual business, and whether they have valid SCCs or BCRs in place. As the EDPB has said, any business using SCCs or BRCs must have run their own assessment of US law and the threat it poses to data privacy. If not, the Data Protection Board’s stance is that they must immediately cease data transfers.
But it also depends on how quickly data protection authorities act. Officially, there is no grace period following the CJEU’s ruling. Regulators might take a soft touch approach as they did with GDPR, but they’ll be under no obligation to do so.
Max Schrems’ ongoing legal case gives a window into the complexity and uncertainty of the situation. Although Facebook is signed up to the Privacy Shield, it also uses SCCs to govern how it handles data, which Facebook claims this means it can still legally transfer data from the EU to the US.
But Schrems disagrees, saying that the SCCs used by Facebook will not protect EU user data from being accessed by US authorities. Schrems is now pushing for Ireland’s data protection authority, which is responsible for regulating Facebook in the EU, to take action and stop Facebook from sending data to the US.
If Ireland’s data protection authority agrees with Schrems, all other ad tech companies relying on SCCs will likely similarly be faced with the choice of either ending data transfers from the EU to the US, or running the risk of operating illegally.