Earlier this week, Google emailed its Google Ads clients to update them about changes it plans to make on August 12 in order to remain compliant with Europe’s General Data Protection Regulation.
The change followed a July decision by the Court of Justice of the European Union to invalidate the “Privacy Shield,” a framework that allowed for the transfer of personal data between Europe and the U.S.
With the Privacy Shield program dead with immediate effect, Google told its Ads clients that it will now instead use standard contractual clauses to validate the transfer of personal data from its advertising and measurement services to the U.S. from the European Economic Area, Switzerland and the U.K.
Here’s what every advertising and publishing business needs to know about the death of the Privacy Shield and how standard contractual clauses work.
WTF was the Privacy Shield?
The EU-U.S. Privacy Shield was adopted by the European Commission in 2016 and acted as an approved mechanism for the transfer of personal data between the EU and U.S. in a way that was compliant with GDPR.
The GDPR says you can only send data out of the EU under certain circumstances. One of those circumstances is if the EC determines the data is being sent to a location with an “adequate” level of data protection. Countries including Argentina, Canada, Japan and New Zealand are among those countries. The United States’ “adequacy” protection was limited to companies that were certified under the Privacy Shield.
The framework includes strong data protection obligations on the companies receiving the data from the EU, safeguards surrounding the U.S. government’s access to personal data and a commitment to effective protection and redress for individuals. The system was used by more than 5,300 companies, according to the University College of London’s European Instittue.
What happened to the Privacy Shield?
Let’s rewind back to 2013. Back then, Austrian lawyer and privacy advocate Max Schrems filed a complaint with the Irish data protection authority about the way Facebook transfers the data of users within the EU from its Irish subsidiary to the social network’s headquarters in the U.S. He argued such transfers — then made under the Safe Harbor agreement — didn’t offer users protection against U.S. public authorities accessing that data. In a 2015 judgment, the European Court of Justice invalidated the Safe Harbor agreement.
In a new complaint, Schrems effectively argued that the Privacy Shield was just the Safe Harbor under a new name and that the U.S. doesn’t offer sufficient protection of data transferred there.
The European Court of Justice ruled on July 16 the Privacy Shield doesn’t adequately protect EU citizens’ privacy. The European Data Protection Board then said on July 23 there would be no grace period for companies that were using the Privacy Shield as the legal basis for the transfer of their EU data to the U.S.
Where do standard contractual clauses come into it?
These can be downloaded from the EC website and must be completed by both the importer of data and the exporter. The contracts include obligations on behalf of both parties and sets out rights for the individuals’ whose personal data is being transferred.
The clauses must not be amended from the EC wording, though the parties can include additional business-related clauses.
Do standard contractual clauses replace the Privacy Shield?
Not quite. While the ruling said standard contractual clauses as an instrument are valid, the transfer of the data still might not be depending on the country receiving that data, said Emerald de Leeuw, an independent data protection specialist.
Put another way, if Privacy Shield didn’t protect EU citizens’ data from potential U.S. government snooping — then why would these standard contractual clauses?
According to an update from the EDPC, data transfer from the EU to the U.S. would only be adequate if standard contractual clauses and “supplementary measures” were used. However, the EDPC didn’t define what those supplementary measures are. It might well mean data encryption, but the EDPC didn’t elaborate. An update is expected soon.
With Privacy Shield gone and “supplementary measures” unclear, what alternatives are there?
Large technology businesses — particularly cloud providers—have been setting up substantial European operations so that data doesn’t have to be transferred outside of Europe. (On that topic: TikTok said this week it intends to build a $500 million data center in Ireland to store data generated by European users.)
But for smaller companies, that might not be feasible.
De Leeuw said other companies could contact their cloud service providers, and perhaps pay a premium, to ensure EU data is kept in the EU.
“The lowest risk approach would be to essentially keep the data where it is, re-geofence and retrench what was globalization and bring it back the other way,” said Christian Auty, counsel at Bryan Cave Leighton Paisner LLP.
That’s not always easy for publishers who work with multiple multinational vendors, many of which are based in the U.S. “GDPR has always been an expensive regime to comply with, felt more acutely by smaller businesses,” said Auty.
If I’m a data ‘controller’ — such as a publisher — that transfers personal data out of the EU what do I need to do immediately?
Stop using Privacy Shield and perform a risk assessment.
In the case of Google’s move to standard contractual clauses, “The risk is with [publishers] rather than Google,” said Adam Rose, partner at law firm Mishcon de Reya. That’s because Google is the processor of the data and publishers are the data controllers who are primarily responsible for what happens to the data that’s being processed, Rose added.