Privacy Shield Invalidated – Nonprofits May Not Be Affected But Should be Aware
By Jibran Hussain, Andrew Tobel, J.D., CIPP/US, and Derrick King, CIPP/US
In this highly interconnected, digitized global economy, cross-border data flows are imperative in maintaining and enhancing strong ties between countries. On July 16, 2020, a pivotal component of European Union (EU)–United States (U.S.) data transfers, the EU-US Privacy Shield Framework (Privacy Shield), was declared invalid by the Court of Justice of the European Union (CJEU) with immediate effect. According to the CJEU, EU data transfers to the U.S. under the Privacy Shield arrangement are not safeguarded in a manner that are consistent with EU data privacy standards due to U.S. government surveillance programs.
GDPR Applicability Background
Any nonprofit that collects or processes any information relating directly or indirectly to identifiable individuals, in connection with the offer of goods and/or services or monitoring of EU residents, is subject to the General Data Protection Regulation (GDPR). This could include the collecting or processing of EU members’, benefactors’, grantees’, grantors’, or trustees’ Personal Data. Per the GDPR Personal Data are any data related to an identified or identifiable natural individual. Examples of Personal Data are first and last names, home address, Internet Protocol (IP) address, cookie identifiers and credit card numbers.
Nonprofits are not exempt from the GDPR, especially if they hold seminars or meetings in the EU, and/or monitor the online behavior of EU residents who visit their website, and/or maintain records on EU residents. Moreover, nonprofit activities that may also be in scope include the processing of Personal Data of volunteers, employees, donors, beneficiaries or fundraising activities. For example, if a U.S. nonprofit organization is aiding Yemeni refugees based in Germany – it would be required to comply with the GDPR as it is engaging in data processing activities pertaining to individuals in the EU. Lastly, the submission of grant reports to agencies or submission of accounting transactions from foreign office locations to U.S. home offices which include E.U. Personal Data may also have GDPR implications.
The CJEU’s decision is a major setback as it removes a commonly used method for transferring Personal Data from the EU to the U.S., i.e., the Privacy Shield. The Privacy Shield was administered by the Federal Trade Commission (FTC); however, 501(c)(3)s and other nonprofits, are not typically under the jurisdiction of the FTC and therefore likely could not participate in the Privacy Shield. Nonetheless, nonprofit organizations should be put on notice that transfer mechanisms are a requirement under the GDPR and subject to strict scrutiny by the courts. There are other data transfer mechanisms available should nonprofit organizations engage in EU-U.S. data transfers:
- Standard Contractual Clauses
- Binding Corporate Rules
- Adequacy Decisions
- Derogations for Specific Circumstances
- Certification Mechanism
Permissible Data Transfer Mechanisms
The GDPR permits EU data transfers to non-EU countries which are deemed by the EU Commission to provide an “adequate” level of data protection standards. However, if there is no “adequacy decision,” organizations can utilize other data transfer mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and Derogations for specific circumstances. Crucially, the CJEU upheld the validity of SCCs, but stated there must be supplemental measures and additional data protection safeguards in place with special attention to access by judicial and administrative authorities. In particular, SCCs should include sufficient data protection safeguard provisions when organizations engage in EU-U.S. data transfers. As a result, organizations should reassess their SCC provisions by:
- Reviewing the types of EU Personal Data subject to transfer and whether there is a risk of subpoenas by U.S. National Security agencies;
- Assessing if the transfer of EU Personal Data is necessary and, if not, reducing the scope of the data transfer;
- Including strong provisions that outline strong data retention practices (e.g., immediate deletion of EU Personal Data if no longer required);
- Implementing strong encryption to protect EU Personal Data.
Additionally, BCRs are also a permissible data transfer mechanism that require similar SCC data protection safeguard provisions but require the approval of EU supervisory authorities. While this can take several months for approval, BCRs are more flexible for organizations as they result in less administrative burden once they are implemented. However, they can be a costly and lengthy process to implement.
On the contrary, under Article 49 of the GDPR, if a nonprofit organization has exhausted the data transfer options including BCRs or SCCs, a data transfer can still take place for a limited number of data subjects under Derogations for specific circumstances:
- The data controller has assessed and provided sufficient safeguards pertaining to the protection of Personal Data of data subjects;
- The data subject has consented to the data transfer after being informed of the risks associated with the data transfer due to a no adequacy decision or sufficient data transfer safeguards;
- The data transfer is required for the performance of a contract between the data subject and the controller;
- The data transfer is required for public interest reasons;
- The data transfer is required to protect the vital interests of a data subject.
Nonprofit organizations, as the data controller, should inform the applicable data protection authority of the data transfer and subsequently inform the data subject.
Nonprofit organizations that fail to comply may risk fines by Data Protection Authorities (DPAs). As a Belgian nonprofit organization recently discovered, DPAs certainly have the appetite to punish organizations that fail to comply with data transfer requirements. The Belgian nonprofit organization was fined €1000 by the Belgian DPA, as it utilized a complainant’s Personal Data for direct marketing purposes and did not have a valid legal basis for processing the complainant’s Personal Data—which is a breach under the GDPR.
Given the CJEU’s ruling on Privacy Shield, U.S. nonprofit organizations engaging in cross-border data transfers can be under greater scrutiny by the EU Commission and will be subject to regulatory fines and reputational loss for violations. However, by bolstering or implementing the aforementioned data transfer mechanisms, nonprofit organizations will be better equipped to navigate and adapt to the evolving data privacy requirements, primarily EU data transfers.