WTF…are standard contractual clauses
Earlier this week, Google emailed its Google Ads clients to update them about changes it plans to make on August 12 in order to remain compliant with Europe’s General Data Protection Regulation.
The change followed a July decision by the Court of Justice of the European Union to invalidate the “Privacy Shield,” a framework that allowed for the transfer of personal data between Europe and the U.S.
With the Privacy Shield program dead with immediate effect, Google told its Ads clients that it will now instead use standard contractual clauses to validate the transfer of personal data from its advertising and measurement services to the U.S. from the European Economic Area, Switzerland and the U.K.
Here’s what every advertising and publishing business needs to know about the death of the Privacy Shield and how standard contractual clauses work.
WTF was the Privacy Shield?
The EU-U.S. Privacy Shield was adopted by the European Commission in 2016 and acted as an approved mechanism for the transfer of personal data between the EU and U.S. in a way that was compliant with GDPR.
The GDPR says you can only send data out of the EU under certain circumstances. One of those circumstances is if the EC determines the data is being sent to a location with an “adequate” level of data protection. Countries including Argentina, Canada, Japan and New Zealand are among those countries. The United States’ “adequacy” protection was limited to companies that were certified under the Privacy Shield.
The framework includes strong data protection obligations on the companies receiving the data from the EU, safeguards surrounding the U.S. government’s access to personal data and a commitment to effective protection and redress for individuals. The system was used by more than 5,300 companies, according to the University College of London’s European Instittue.
What happened to the Privacy Shield?
Let’s rewind back to 2013. Back then, Austrian lawyer and privacy advocate Max Schrems filed a complaint with the Irish data protection authority about the way Facebook transfers the data of users within the EU from its Irish subsidiary to the social network’s headquarters in the U.S. He argued such transfers — then made under the Safe Harbor agreement — didn’t offer users protection against U.S. public authorities accessing that data. In a 2015 judgment, the European Court of Justice invalidated the Safe Harbor agreement.
In a new complaint, Schrems effectively argued that the Privacy Shield was just the Safe Harbor under a new name and that the U.S. doesn’t offer sufficient protection of data transferred there.
The European Court of Justice ruled on July 16 the Privacy Shield doesn’t adequately protect EU citizens’ privacy. The European Data Protection Board then said on July 23 there would be no grace period for companies that were using the Privacy Shield as the legal basis for the transfer of their EU data to the U.S.
Where do standard contractual clauses come into it?
These can be downloaded from the EC website and must be completed by both the importer of data and the exporter. The contracts include obligations on behalf of both parties and sets out rights for the individuals’ whose personal data is being transferred.
The clauses must not be amended from the EC wording, though the parties can include additional business-related clauses.
Do standard contractual clauses replace the Privacy Shield?
Not quite. While the ruling said standard contractual clauses as an instrument are valid, the transfer of the data still might not be depending on the country receiving that data, said Emerald de Leeuw, an independent data protection specialist.
Put another way, if Privacy Shield didn’t protect EU citizens’ data from potential U.S. government snooping — then why would these standard contractual clauses?
According to an update from the EDPC, data transfer from the EU to the U.S. would only be adequate if standard contractual clauses and “supplementary measures” were used. However, the EDPC didn’t define what those supplementary measures are. It might well mean data encryption, but the EDPC didn’t elaborate. An update is expected soon.
With Privacy Shield gone and “supplementary measures” unclear, what alternatives are there?
Large technology businesses — particularly cloud providers—have been setting up substantial European operations so that data doesn’t have to be transferred outside of Europe. (On that topic: TikTok said this week it intends to build a $500 million data center in Ireland to store data generated by European users.)
But for smaller companies, that might not be feasible.
De Leeuw said other companies could contact their cloud service providers, and perhaps pay a premium, to ensure EU data is kept in the EU.
“The lowest risk approach would be to essentially keep the data where it is, re-geofence and retrench what was globalization and bring it back the other way,” said Christian Auty, counsel at Bryan Cave Leighton Paisner LLP.
That’s not always easy for publishers who work with multiple multinational vendors, many of which are based in the U.S. “GDPR has always been an expensive regime to comply with, felt more acutely by smaller businesses,” said Auty.
If I’m a data ‘controller’ — such as a publisher — that transfers personal data out of the EU what do I need to do immediately?
Stop using Privacy Shield and perform a risk assessment.
In the case of Google’s move to standard contractual clauses, “The risk is with [publishers] rather than Google,” said Adam Rose, partner at law firm Mishcon de Reya. That’s because Google is the processor of the data and publishers are the data controllers who are primarily responsible for what happens to the data that’s being processed, Rose added.
‘Walk before you run’: Sports publishers look to blow out their betting content
Over the past 12 months, several large sports media brands have signed partnership deals with sports books
‘It’s a virtuous cycle’: Audiences and advertisers seek health and wellness content and publishers are seeing green
Publishers are building new content products that give audiences more health and wellness content and advertisers more partner opportunities.
Election-focused products charge U.S. growth at The Economist
The brand's focus is covering the upcoming election, building up the leadership team and creating an aggressive three-year growth plan.
SponsoredB2B events were broken before the pandemic, their online reinvention is creating positive change
Kim Darling, executive producer, Inbound Farewell lanyards, business cards and branded pens — it’ll be some time before people get their hands on these souvenirs of in-person events again. As the COVID-19 pandemic continues to transform the way people work, buy, sell, socialize and entertain themselves, the global events industry is facing its biggest-ever challenge. […]
‘Necessary, but insufficient:’ Advertisers are starting to question the value of low exchange fees
Large changes in bid price can often produce small changes in an advertiser’s ability to win those auctions.
‘One beat in an ongoing movement’: BET+ general manager Devin Griffin on the streamer’s evolution
Pre-launch research for BET+ found a lot of demand for content focused on Black stories and experiences, but 'the supply is not quite right.'