Introduction: The Obligation to Report and Explain
The obligation not only to ensure the privacy of stored data but also to disclose and explain the steps taken to safeguard that data is becoming increasingly costly to companies.
Government regulators, customers, shareholders and individuals routinely now demand explanations of both security protocols and also responses to data incidents and the steps taken to remediate the damage from such incidents.
To the extent that these disclosures can be made without compromising a company’s network, they are effectively involuntary at this point. This is true from the regulatory, legal and public relations standpoints.
The protection of data measures and the disclosure and reporting requirements related to the protection of that data is now a primary cost for any organization aggregating data.
More importantly, reporting needs are also bumping up against data privacy protection requirements, posing yet another legal challenge for companies aiming to do the right thing.
SCCs and the Privacy Shield Framework: Prior Efforts at Easing the Compliance Process
In 2016, the concern for the protection of personal data resulted in the U.S.-E.U. Privacy Shield framework.
This framework was enacted by the United States, the European Union and Switzerland in order to establish guidelines for companies’ compliance with data protection requirements when transferring personal information between them.
The Privacy Shield framework is administered by the International Trade Association (“ITA”) within the U.S. Department of Commerce.
Previously, U.S.-based organizations were able to apply to obtain Privacy Shield certification from the ITA. Privacy Shield certification, for approved U.S. organizations, meant compliance with E.U. data privacy laws.
This process was approved in 2016 by the European Commission.
In addition to the Privacy Shield, an alternative system of privacy compliance has also been utilized by companies conducting business between the U.S., the E.U. and Switzerland.
The Standard Contractual Clauses (“SCCs”) system allowed companies trading personal data cross-border to utilize contractual clauses approved by the European Union to ensure data compliance.
A number of large data companies, including Facebook, took advantage of the SCC system to conduct cross-border business.
However, in July, 2020, both of these compliance systems changed when an Austrian data privacy activist named Max Schrems filed a suit in Europe to contest Facebook’s use of SCCs.
The Schrems II Decision: Goodbye, Yellow Brick Road …
Max Schrems filed a suit in Ireland seeking a ruling that Facebook’s cross-border transfers of E.U. personal data utilizing the SCCs was invalid, on the basis that the SCCs did not offer sufficient privacy protection for E.U. nationals.
Ultimately, the Court of Justice of the European Union (“CJEU”) agreed that this was the case —sort of.
In a surprise ruling, the CJEU ruled that the U.S.-E.U.-Switzerland Privacy Shield framework was invalid for that very reason. The CJEU ruled that U.S. law failed to grant E.U. individuals a cause of action for a breach of data privacy rights equivalent to that guaranteed under E.U. law.
As to the SCCs, the Court held that organizations can continue to utilize these contractual provisions — but only where case-specific risks have been properly assessed. The SCCs, the Court said, “… cannot amount to a tick box exercise.”
Conclusion: Where to Go With This?
The takeaway here is that, while, domestically, U.S. businesses and other organizations face a rising demand for disclosure regarding damage-mitigation efforts around data events, any disclosure made will face tough scrutiny in the E.U. if personal data arising from the E.U. is overly revealed in the process.
Likewise, the risk of governmental sanction exists if disclosures reveal that personal data with an E.U. origin has been compromised.
Neither the Privacy Shield framework (which the ITA continues to operate) nor the SCCs will safeguard a company from litigation or sanction if the level of governmental access to personal data is overly generous.
Going forward, companies will need to assess on a case-by-case basis whether the SCCs may be relied upon.