WTF…are standard contractual clauses
Earlier this week, Google emailed its Google Ads clients to update them about changes it plans to make on August 12 in order to remain compliant with Europe’s General Data Protection Regulation.
The change followed a July decision by the Court of Justice of the European Union to invalidate the “Privacy Shield,” a framework that allowed for the transfer of personal data between Europe and the U.S.
With the Privacy Shield program dead with immediate effect, Google told its Ads clients that it will now instead use standard contractual clauses to validate the transfer of personal data from its advertising and measurement services to the U.S. from the European Economic Area, Switzerland and the U.K.
Here’s what every advertising and publishing business needs to know about the death of the Privacy Shield and how standard contractual clauses work.
WTF was the Privacy Shield?
The EU-U.S. Privacy Shield was adopted by the European Commission in 2016 and acted as an approved mechanism for the transfer of personal data between the EU and U.S. in a way that was compliant with GDPR.
The GDPR says you can only send data out of the EU under certain circumstances. One of those circumstances is if the EC determines the data is being sent to a location with an “adequate” level of data protection. Countries including Argentina, Canada, Japan and New Zealand are among those countries. The United States’ “adequacy” protection was limited to companies that were certified under the Privacy Shield.
The framework includes strong data protection obligations on the companies receiving the data from the EU, safeguards surrounding the U.S. government’s access to personal data and a commitment to effective protection and redress for individuals. The system was used by more than 5,300 companies, according to the University College of London’s European Instittue.
What happened to the Privacy Shield?
Let’s rewind back to 2013. Back then, Austrian lawyer and privacy advocate Max Schrems filed a complaint with the Irish data protection authority about the way Facebook transfers the data of users within the EU from its Irish subsidiary to the social network’s headquarters in the U.S. He argued such transfers — then made under the Safe Harbor agreement — didn’t offer users protection against U.S. public authorities accessing that data. In a 2015 judgment, the European Court of Justice invalidated the Safe Harbor agreement.
In a new complaint, Schrems effectively argued that the Privacy Shield was just the Safe Harbor under a new name and that the U.S. doesn’t offer sufficient protection of data transferred there.
The European Court of Justice ruled on July 16 the Privacy Shield doesn’t adequately protect EU citizens’ privacy. The European Data Protection Board then said on July 23 there would be no grace period for companies that were using the Privacy Shield as the legal basis for the transfer of their EU data to the U.S.
Where do standard contractual clauses come into it?
These can be downloaded from the EC website and must be completed by both the importer of data and the exporter. The contracts include obligations on behalf of both parties and sets out rights for the individuals’ whose personal data is being transferred.
The clauses must not be amended from the EC wording, though the parties can include additional business-related clauses.
Do standard contractual clauses replace the Privacy Shield?
Not quite. While the ruling said standard contractual clauses as an instrument are valid, the transfer of the data still might not be depending on the country receiving that data, said Emerald de Leeuw, an independent data protection specialist.
Put another way, if Privacy Shield didn’t protect EU citizens’ data from potential U.S. government snooping — then why would these standard contractual clauses?
According to an update from the EDPC, data transfer from the EU to the U.S. would only be adequate if standard contractual clauses and “supplementary measures” were used. However, the EDPC didn’t define what those supplementary measures are. It might well mean data encryption, but the EDPC didn’t elaborate. An update is expected soon.
With Privacy Shield gone and “supplementary measures” unclear, what alternatives are there?
Large technology businesses — particularly cloud providers—have been setting up substantial European operations so that data doesn’t have to be transferred outside of Europe. (On that topic: TikTok said this week it intends to build a $500 million data center in Ireland to store data generated by European users.)
But for smaller companies, that might not be feasible.
De Leeuw said other companies could contact their cloud service providers, and perhaps pay a premium, to ensure EU data is kept in the EU.
“The lowest risk approach would be to essentially keep the data where it is, re-geofence and retrench what was globalization and bring it back the other way,” said Christian Auty, counsel at Bryan Cave Leighton Paisner LLP.
That’s not always easy for publishers who work with multiple multinational vendors, many of which are based in the U.S. “GDPR has always been an expensive regime to comply with, felt more acutely by smaller businesses,” said Auty.
If I’m a data ‘controller’ — such as a publisher — that transfers personal data out of the EU what do I need to do immediately?
Stop using Privacy Shield and perform a risk assessment.
In the case of Google’s move to standard contractual clauses, “The risk is with [publishers] rather than Google,” said Adam Rose, partner at law firm Mishcon de Reya. That’s because Google is the processor of the data and publishers are the data controllers who are primarily responsible for what happens to the data that’s being processed, Rose added.
‘Qualify the context’: Publishers see success with podcasts created to deepen coronavirus crisis coverage
Publishers expanded COVID-19 coverage with products like podcasts as audiences flocked to pandemic-related content.
‘We need to see ourselves as a media business’: AC Milan’s endgame for content
Italian football club AC Milan has joined the likes of Chelsea, Real Madrid, Barcelona F.C and Bayern Munich in owning its production arm.
Member ExclusiveMedia Briefing: ‘I literally didn’t sleep last night’: Publishers share their concerns about the future of data
Publishing execs today face big questions about how to value their audiences and who holds the keys to that value.
SponsoredShoppable content is reshaping brand and publisher relationships
In recent years, brands and publishers have adopted affiliate marketing as an increasingly established method to audiences. However, what may seem to be a mutually beneficial arrangement between brands and affiliates on closer scrutiny reveals itself as a solution that comes with challenges. Meanwhile, the emergence of content commerce is opening different approaches to matching […]
California’s privacy law has had ‘no impact’ on ad revenues or inventory, but indirect effects could hurt
Publishers, ad tech firms and ad agencies say they felt a bigger hit from opt-ins in Europe than from opt-outs in California.
‘Isolated and voiceless’: Burnt out young workers are turning to tech for mental health support
Gen Z workers think robots are more helpful than humans for mental health support — a factor that hints at deeper work-culture issues.