If you are in the e-commerce business, if you provide and offer online services and cooperate with companies from the USA, or you simply use servers that are located in the USA, this piece of information about certain rules regarding the data you transfer or share with American entities will be significant for you.
Namely, as you might be familiar with, on July 16, 2020, by the verdict of the EU Court of Justice, the EU-US Privacy Shield was invalidated. This agreement represents a legal framework for personal data transfer from the EU to the USA. The consequences of this decision affected European as well as domestic entities that transfer personal data to American companies and other entities. The importance of the implications that this verdict had shown in the survey sample by the UCL European Institute which found that almost 1600 companies (which make up 30% of the total number), used mechanisms of Privacy Shield to return data about the employees back to the USA.
What Exactly Is the EU-US Privacy Shield and How Did It Get Invalidated?
When data is transferred between the members of the EU countries, ie, to countries which by definition offer an adequate level of data protection [1], the transfer is done smoothly and additional requirements or approvals are not necessary when it comes to this kind of transfer.
However, the USA is not listed as one of the countries that offer an adequate level of personal data protection, which is not strange, when we take into consideration the scandals revolving around the National Security Agencies and Facebook. Also, the right to privacy is not in the rank with Constitutional Rights in the USA, while in the EU, the right to privacy and personal data protection is a fundamental right of every EU citizen. Apart from that, American entities can by default process personal data, while for every personal data processing in the EU, entities must have legitimate legal grounds.
Because of all the reasons listed, the USA belongs to a category of the so-called, third countries, so the prerequisite for legal data transfer to American data processors is to form mechanisms that would guarantee that the transferred data would be protected.
The adoption of the EU-US Privacy Shield has made data transfer much easier. It was enough that an entity from the USA registers and coordinates its business with the rules of the aforementioned mechanism and pays a certain fee and then, data transfer could be completed smoothly.
However, the question of how secure these kinds of transfers were at some point was set into motion only at the initiative of Max Schrems, an activist for rights of privacy who is behind the whole case of the Privacy Shield invalidation.
The initiative resulted in the verdict of the Court after it was determined that the EU-US Privacy Shield does not offer protection to the citizens of the EU whose data is transferred to the USA, at least not in the scope that is necessary in order to protect their right to privacy and not at the level of protection of Personal Data that is granted in the EU.
Besides the countries that are members of the EU, the effect of the GDPR ( General Data Protection Regulation ), extends to non-member countries as well. This means that the consequences of the strike down of Privacy Shield also affected data controllers and data processors of personal data who transfer data from Serbia to the USA.
What Are the Consequences of the Privacy Shield Invalidation?
With the invalidation of the EU-US Privacy Shield in 2020, the USA has the status of the third country meaning that personal data can be transferred to the USA only if it is determined that they are ‘adequate’ for the data transfer from European countries . One of the mechanisms which provide an adequate level of protection during data transfer is the Standard Contractual Clauses (SCC) adopted by the EU Committee.
Specifically, this means that all the entities from the EU that transfer personal data to entities from the USA have to conclude appropriate contracts using the Standard Contractual Clauses.
The main drawback of the Standard Contractual Clauses is the fact that in practice, it is extremely difficult to check whether both parties are being compliant. Specifically, this would include an active role of the entity which transfers the data to the USA to inspect in detail whether the data recipient (located in the USA) complies with the protection conditions, which in practice, as it turned out, is almost undoable .
Still, even though the Clauses formally represent a valid basis for the data transfer into third countries, when it comes to the USA, their use is not unlimited. While reaching the verdict, the Court has concluded that the Clauses cannot be used during personal data transfer to the USA without additional review by the data controller.
If we take into account the following two facts – firstly, the fact that the controller of personal data is responsible for the selection of data processors and potential data leaks which could happen in the USA, and secondly that entities whose data was breached can directly request an explanation from the controller – this leads us to a conclusion that an inadequate choice of a processor from the USA could cost you a fortune.
What does this mean for Serbia?
If you believe that obligations introduced with the verdict from 2016 and rules that it created will not affect you because your business is Serbia-based, well – you are mistaken.
Namely, as the Serbian Law on Personal Data Protection (hereafter: Law) has taken over almost all of the rules from the GDPR (we have discussed this in our blog 9 most common misconceptions of employers on personal data protection) all the consequences regarding data protection from the EU will be noticeable, even when it comes to data transfer from Serbia to the USA.
Hence, whenever you transfer data from Serbia to the USA, it is necessary to provide an appropriate level of personal data protection [2] . Since Privacy Shield was invalidated in 2016, you are required to apply other mechanisms which are at your disposal.
The Commissioner also stands on the point that the USA does not provide an appropriate level of protection under the Privacy Shield framework or under the Personal Data Protection Act.
For a few years now, the Commissioner has pleaded to all the controllers and processors that it is necessary to find other data transfer mechanisms to the USA prescribed by the PDPA. Also, the Commissioner directed an official notice to the Government of the Republic of Serbia with the purpose to sync the Decision of the Government about the list of countries that are considered to provide an appropriate level of personal data protection, ie the removal of the USA from the said list, although this delisting has not been completed so far
What are the alternatives?
Similarly, as in the EU, you have the Standard Contractual Clause at your disposal, but which was declared by the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: Commissioner ). In other words, you are obliged to conclude appropriate contracts with your contractors from the USA if you want to be sure that you are acting in accordance with the PDPA.
For example:
Or
Or
you must conclude appropriate contracts with the American company and regulate the questions regarding data transfer to the USA.
On the other hand, if GDPR applies to you extraterritorially (we have written about this in Territorial Scope of GDPR in Serbia ), all the obligations and rules apply to you, the same as when data is transferred from the EU to the USA.
Therefore, the same rules apply to all Serbian employers as to the rest of the European Union: during the conclusion of the agreement with processors from the USA, it will be inevitable to enforce the appropriate checks to determine whether all the conditions regarding personal data transfer were fulfilled. Otherwise, you are facing financial fines prescribed under the PDPA’s penalty clauses , as well as penalties prescribed by the GDPR (if there are conditions for extraterritorial use of GDPR).
If all of this seems too complicated, the alternative is to look for the approval of the Commissioner for each data transfer to the USA. In comparison to this option, you will agree that the Standard Contractual Clauses do not seem that bad.
Yet, there are exceptions
The exception from the rules which are the consequence of the EU Court of Justice’s verdict are the situations where the cross-border transfer to the USA is allowed without fulfillment of the additional conditions (such as enforcing of Clauses or approvals from Commissioners) and they are prescribed by the PDPA or GDPR explicitly. Therefore, in certain cases, data transfer to the USA is allowed, regardless of the non-existence of the EU-US Privacy Shield.
According to the PDPA, data transfer to the USA can be done as if the Privacy Shield still exists, and without applying specific precautions, in the following situations:
- You have given explicit consent for your personal data transfer to the USA, and you were informed of the risks beforehand, given that there is no Privacy Shield Law or any other protection mechanism. You can always take back your consent.
- The transfer is essential for the completion of an agreement between the data subject and the data controller, ie for the conclusion of the agreement – for example, you have ordered goods from the USA and in order for the goods to be delivered, you have to disclose your address. Given that the agreement cannot be concluded without this, the PDPA allows an exception from the aforementioned rules.
- When the transfer is essential to submit, obtain, or defend your legal request – for example, if you are asking for a refund from an American company, data transfer is allowed.
Other exceptions include the fulfillment of important public interests for the Republic of Serbia, protection of vital importance for the natural person, and also the transfer of certain personal data kept in the public register, which is rarely used in practice.
Surely, entities that transfer data to the American IT companies or store gathered data on American servers have already noticed the consequences of the EU-US Privacy Shield strike the most.