WTF…are standard contractual clauses
Earlier this week, Google emailed its Google Ads clients to update them about changes it plans to make on August 12 in order to remain compliant with Europe’s General Data Protection Regulation.
The change followed a July decision by the Court of Justice of the European Union to invalidate the “Privacy Shield,” a framework that allowed for the transfer of personal data between Europe and the U.S.
With the Privacy Shield program dead with immediate effect, Google told its Ads clients that it will now instead use standard contractual clauses to validate the transfer of personal data from its advertising and measurement services to the U.S. from the European Economic Area, Switzerland and the U.K.
Here’s what every advertising and publishing business needs to know about the death of the Privacy Shield and how standard contractual clauses work.
WTF was the Privacy Shield?
The EU-U.S. Privacy Shield was adopted by the European Commission in 2016 and acted as an approved mechanism for the transfer of personal data between the EU and U.S. in a way that was compliant with GDPR.
The GDPR says you can only send data out of the EU under certain circumstances. One of those circumstances is if the EC determines the data is being sent to a location with an “adequate” level of data protection. Countries including Argentina, Canada, Japan and New Zealand are among those countries. The United States’ “adequacy” protection was limited to companies that were certified under the Privacy Shield.
The framework includes strong data protection obligations on the companies receiving the data from the EU, safeguards surrounding the U.S. government’s access to personal data and a commitment to effective protection and redress for individuals. The system was used by more than 5,300 companies, according to the University College of London’s European Instittue.
What happened to the Privacy Shield?
Let’s rewind back to 2013. Back then, Austrian lawyer and privacy advocate Max Schrems filed a complaint with the Irish data protection authority about the way Facebook transfers the data of users within the EU from its Irish subsidiary to the social network’s headquarters in the U.S. He argued such transfers — then made under the Safe Harbor agreement — didn’t offer users protection against U.S. public authorities accessing that data. In a 2015 judgment, the European Court of Justice invalidated the Safe Harbor agreement.
In a new complaint, Schrems effectively argued that the Privacy Shield was just the Safe Harbor under a new name and that the U.S. doesn’t offer sufficient protection of data transferred there.
The European Court of Justice ruled on July 16 the Privacy Shield doesn’t adequately protect EU citizens’ privacy. The European Data Protection Board then said on July 23 there would be no grace period for companies that were using the Privacy Shield as the legal basis for the transfer of their EU data to the U.S.
Where do standard contractual clauses come into it?
These can be downloaded from the EC website and must be completed by both the importer of data and the exporter. The contracts include obligations on behalf of both parties and sets out rights for the individuals’ whose personal data is being transferred.
The clauses must not be amended from the EC wording, though the parties can include additional business-related clauses.
Do standard contractual clauses replace the Privacy Shield?
Not quite. While the ruling said standard contractual clauses as an instrument are valid, the transfer of the data still might not be depending on the country receiving that data, said Emerald de Leeuw, an independent data protection specialist.
Put another way, if Privacy Shield didn’t protect EU citizens’ data from potential U.S. government snooping — then why would these standard contractual clauses?
According to an update from the EDPC, data transfer from the EU to the U.S. would only be adequate if standard contractual clauses and “supplementary measures” were used. However, the EDPC didn’t define what those supplementary measures are. It might well mean data encryption, but the EDPC didn’t elaborate. An update is expected soon.
With Privacy Shield gone and “supplementary measures” unclear, what alternatives are there?
Large technology businesses — particularly cloud providers—have been setting up substantial European operations so that data doesn’t have to be transferred outside of Europe. (On that topic: TikTok said this week it intends to build a $500 million data center in Ireland to store data generated by European users.)
But for smaller companies, that might not be feasible.
De Leeuw said other companies could contact their cloud service providers, and perhaps pay a premium, to ensure EU data is kept in the EU.
“The lowest risk approach would be to essentially keep the data where it is, re-geofence and retrench what was globalization and bring it back the other way,” said Christian Auty, counsel at Bryan Cave Leighton Paisner LLP.
That’s not always easy for publishers who work with multiple multinational vendors, many of which are based in the U.S. “GDPR has always been an expensive regime to comply with, felt more acutely by smaller businesses,” said Auty.
If I’m a data ‘controller’ — such as a publisher — that transfers personal data out of the EU what do I need to do immediately?
Stop using Privacy Shield and perform a risk assessment.
In the case of Google’s move to standard contractual clauses, “The risk is with [publishers] rather than Google,” said Adam Rose, partner at law firm Mishcon de Reya. That’s because Google is the processor of the data and publishers are the data controllers who are primarily responsible for what happens to the data that’s being processed, Rose added.
Member ExclusiveCase Study: How Dentsu is pushing advertisers to embrace brand integrity
After 2020, brands got serious about brand safety, taking steps to ensure media placements weren't appearing alongside harmful content. At Digiday's Media Buying Summit, Dentsu's Brand Safety team talks about what it'll take to create industry wide media buying standards.
‘I think it’s all talk’ about DE&I: Overheard at Digiday’s Media Buying Summit
Participants in a breakout session at Digiday's Media Buying Summit ripped away the proverbial band-aid that might have made anyone feel significant progress is being made on DE&I in the media agency world.
Why an evolved B/R Gaming is investing in its linear, televised gaming content
B/R Gaming’s investment in televised content is proof that linear broadcasting companies are realizing the potential value of the gaming and esports audience.
SponsoredHow YouTube is redefining the online shopping experience experience
Sponsored by Google Amy Lanzi, North America practice lead, Publicis Commerce Finding surprising products in a brick-and-mortar store is, or used to be, a common experience: that magical shopping moment when the customer stumbles across something new that fits their needs perfectly. In 2021, however, it happens in the world’s biggest video storefront — YouTube. […]
Member ExclusivePublishing Summit Recap: Publishers establish infrastructure to future-proof data sets
Publishers shared insights at the Digiday Publishing Summit at the end of September in Miami.
Dow Jones expands Twitter ad revenue-sharing deal to include more properties and for additional years
Dow Jones is adding Barron's, MarketWatch and Investor's Business Daily to become part of Twitter's Amplify program, which has helped the media company to attract social ad buyers.