14 September 2020

Data Blast: Swiss-US Privacy Shield no longer adequate and more…

See below for the latest Data Blast from our legal team: Swiss-US Privacy Shield no longer adequate; EU task forces established to handle questions of EU-US data transfers; Facebook taking Irish regulator to court over US data transfer ban; California adopts law requiring parental consent for social media use by children.

Swiss DPA concludes that Swiss-US Privacy Shield is no longer adequate

On September 8th, following its annual assessment of the Swiss-US Privacy Shield, the Swiss Federal Data Protection Information Commissioner (FDPIC) announced that it no longer considers the Privacy Shield adequate with respect to the transfer of personal data from Switzerland to the United States.

The announcement follows the July decision of the Court of Justice of the European Union (CJEU) in Schrems II (previously covered here), which invalidated the EU-US Privacy Shield for personal data transfers between the EU and the US.

The FDPIC concluded in a September 8th position paper that whilst the Swiss-US Privacy Shield guarantees special protection rights for data subjects in Switzerland, it fails to provide an adequate level of protection for data transferred from Switzerland to the US under the Swiss Federal Act on Data Protection (FADP). In light of this assessment, the FDPIC has deleted the reference to ‘adequate data protection under certain conditions’ for the US in their list of countries. While the FDPIC lacks authority to invalidate the Swiss-US Privacy Shield Framework, companies transferring data between the two countries may no longer rely on the Privacy Shield as a valid means of data transfer.

Following the CJEU’s ruling, the FDPIC also announced that, in order to rely on alternative transfer mechanisms such as Standard Contractual Clauses (SCCs), companies must undertake a risk assessment and implement additional safeguards where the risk assessment concluded that personal data is not adequately protected. Safeguards include technical measures such as encryption, which prevent authorities in the receiving country from accessing the transferred data. When implementing such safeguards is not possible, the FDPIC recommends suspending the relevant personal data transfers.

The FDPIC also stated that when conducting risk assessments, the data transferor must consider whether the transferee is able to cooperate with the transferor in accordance with Swiss data protection principles. Transferors must evaluate whether the transferee is subject to ‘special access requests’ by government or public authorities in the receiving country; where risks are identified, additional measures to supplement SCCs must be considered in order to provide adequate protections, absent which data transfers cannot proceed.

EDPB creates taskforces for data transfers following Schrems 2

On September 4th, the European Data Protection Board (EDPB) announced the establishment of two taskforces, dealing with complaints and supplementary measures for data transfers, following the CJEU’s decision in Schrems 2.

The first taskforce will review and respond to complaints made to EEA data protection authorities following the Schrems 2 decision, beginning with those complaints filed by None of Your Business (NOYB), a European privacy rights non-profit. Following the decision, NYOB filed over 100 identical complaints with 30 data protection authorities against several European companies with respect to their use of Facebook Connect and Google Analytics. Specifically, NYOB’s complaints claimed that use of those services meant transfers of personal data from the EU to the US relying either on Privacy Shield or SCCs, and that according to the decision in Schrems II the relevant data controller is therefore unable to ensure adequate protection for the personal data of EU data subjects. The EDPB has stated that the taskforce will examine the matter and ensure close cooperation among members of the Board.

The second taskforce will prepare recommendations to assist data controllers and processors in complying with their duty to identify and implement appropriate supplementary measures in order to ensure that EU personal data being transferred to third countries is adequately protected. However, EDPB Chair Andrea Jelinek stated that ‘the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.’

The EDPB’s full press release regarding the taskforces can be found here.

Facebook and Irish Data Protection Commissioner face off again over EU-US data transfers

The Washington Post reported last week on a preliminary order issued by the Irish Data Protection Commissioner (DPC) to Facebook at the end of August, which was leaked to the newspaper. The order requires Facebook to suspend transfers of personal data to the US, and follows from the decision of the Court of Justice of the European Union (CJEU) in Schrems II which held that the EU-US Privacy Shield was invalid.

With Privacy Shield no longer available to permit EU data transfers to the US, Facebook, like thousands of other businesses, has continued to rely on Standard Contractual Clauses (SCCs) to support its data transfers to the US. Facebook has responded in a blog post following the reports of the DPC’s preliminary order, stating that the DPC had “commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US transfers.”

Facebook said that it will continue to rely on SCCs, which were confirmed to be valid by the court in Schrems II, albeit subject to the parties’ considering whether they provide adequate protections in light of the domestic law of the recipient’s jurisdiction. Facebook stated that they would await further guidance from the regulator, noting that to prohibit reliance on SCCs would have far reaching consequences not only for businesses, but also potentially for public services including health and education. Facebook welcomed the efforts already underway between EU and US lawmakers to find a replacement mechanism for Privacy Shield; as noted above, the EDPB has also established two taskforces aimed at addressing data transfers post-Schrems II.

On Friday, it was revealed that Facebook is seeking a judicial review of the DPC’s preliminary order. We shall monitor the progress of the proceedings and report further in due course.

California Legislature passes Parental Consent for Social Media Use Bill

On September 8th, the California state legislature passed and presented to Governor Gavin Newsom for signature the Parent’s Accountability and Child Protect Act (AB 1138).

AB1138, if signed into law, would require businesses employing a social media application to obtain parental consent for use by children in California whom the business ‘actually knows’ are under the age of 13. Consent from a parent or guardian must be obtained prior to the creation of a child’s social media account, with businesses using reasonable measures to ensure that the consenting individual is in fact the child’s parent or guardian. Businesses that disregard a user’s age will be considered to have actual knowledge of that user’s age. Furthermore, AB1138 also prohibits businesses from using or keeping the consent information received for any purpose other than age verification.

Under AB1138, social media is defined as ‘an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.’

In order to verify that the consenting individual is in fact the child’s parent or guardian, AB1138 permits social media businesses to require a parent or guardian to take one of a number of actions, including:

Provide a copy of a government-issued identification card that the business may check against a database, to be deleted from the business’ records after the verification process is complete;

  • Sign and submit a consent form;
  • Provide online payment system information allowing for the notification of the parent or guardian of each separate transaction made using the social media account;
  • Call a toll-free number or connect via video conference;
  • Provide a copy of a photographic identification card that the person or business can compare to another photograph submitted by the parent or guardian using facial recognition technology; or
  • Provide verifiable parental consent complying with the Children’s Online Privacy Protection Act of 1998.

AB1138 was initially tabled before the California legislature in February of 2019, but failed to pass following amendments made the Senate; it was granted reconsideration on August 30th 2020. Its passage closely follows the publication of the UK Information Commissioner’s Office Age Appropriate Design Code, which sets out standards that online services must meet to protect the privacy of children online (previously covered here).

For more information please contact Partner, James Tumbridge at