On the 26th of July, 2020, the Court of Justice of the European Union invalidated the EU-US agreement known as Privacy Shield as it failed to protect EU citizens’ rights in accordance with the GDPR. This is the latest development in the long-running battle between Facebook and privacy activist Max Schrems.
This ruling impacts all data flows between the European Union and the United States. We are talking about 7.1 trillion transatlantic economic relationships and 5,300 organizations that are currently Privacy Shield participants.
Following the invalidation of the Privacy Shield, thousands of companies will be forced to drastically change how they trade data across the Atlantic.
Besides reinforcing the EU’s commitment to protecting its citizens’ data, the Privacy Shield invalidation shows that the GDPR’s influence extends well beyond the EU.
What was the Privacy Shield?
The Privacy Shield was a legal framework regulating transfers of personal data from the EU to the US. US-based organizations that wanted to join the Privacy Shield Framework had to comply with the high data protection standards set out by it.
The Privacy Shield replaced a previous framework, Safe Harbor, whose validity was challenged back in 2015 by Max Schrems. Many controversies surrounded international data transfers between Europe and the US. The legal action Schrems launched against Facebook Ireland was probably the most effective of such disputes.
What was the purpose of the Privacy Shield?
Personal data flows from EU to non-EU countries are prohibited under the GDPR unless organizations implement specific safeguards to ensure adequate data protection. This is where the Privacy Shield came into play. The framework was approved by both the EU and the US to ensure secure transatlantic data transfers.
Why was the Privacy Shield invalidated?
A period of tranquillity began after the Privacy Shield passed its second annual review by the European Commission. However, Max Schrems filed a second case in 2018, and the new transfer mechanism ended up having the same fate as Safe Harbor.
The privacy activist initially questioned the validity of Standard Contractual Clauses (SCCs), an alternative mechanism for enabling data transfer between EU and non-EU countries. The matter was subsequently referred to the European Court, which separately argued that the Privacy Shield framework failed to adequately protect EU citizens.
The two main reasons why the Privacy Shield failed to adequately protect EU citizens’ personal data were:
- the US law enforcement’s ability to gain access to the personal data transferred under the Privacy Shield, which violated the GDPR
- the EU citizens’ lack of actionable rights in the US court system against government violations
Long story short, the Privacy Shield is no longer a valid basis for personal data transfers from the EU to the United States.
How can you ensure compliance in EU-US data transfers going forward?
Businesses that rely on the Privacy Shield to transfer personal data across the Atlantic have to either stop their transfers or adopt a GDPR-approved data transfer mechanism.
Here is how you can ensure compliance going forward.
1. Standard Contractual Clauses (SCCs)
Standard contractual clauses are the most effective and readily available option. To continue transferring personal data across the Atlantic, you must implement Standard Contractual Clauses.
However, data exporters relying on SCCs must verify, on a case-by-case basis, that the transferred data will have the same levels of protection as within the EU. Companies cannot just sign the SCCs; they also need to check if they can comply with them in practice.
This may only be a short-term solution since scrutiny of the SCCs has never been higher. But for the time being, this transfer mechanism is still valid.
2. Review your network of vendor relationships
The Privacy Shield invalidation also affects businesses established in the European Union that work with US service providers.
Businesses that use third-party software that processes or stores personal data in the US must map their data flows and take measures to ensure compliance.
A good starting point is to verify whether the software vendor offers data residency options and choose an EU country instead.
3. Binding Corporate Rules (BCRs)
No questions have been raised about the validity of Binding Corporate Rules. These are pre-approved internal policies and terms that can be implemented by multinational companies for intraorganizational data transfers. Therefore, BCRs remain a GDPR-compliant method to transfer data across borders. However, this solution is only available for international organizations.
4. Remodel your data flows
You can also restructure your data flows so that no personal data is transferred to the US. It might sound like a troublesome and costly process, but it will definitely pay off in the long run.
5. Collect explicit consent for each transfer
Necessary data flows are still legal under Art. 49 of the GDPR. As far as users consent to their personal data being transferred to the US, the transfer is legitimate. Its lawful basis is the consent of the data subject.
The same goes for cross-border data transfers necessary to fulfil a contract. In other words, you can still transfer essential data to the US.
What does the invalidation of the Privacy Shield mean for Penneo customers?
The Privacy Shield invalidation has left legal departments wondering how they can ensure regulatory compliance. The ongoing nature of the issue increases uncertainty and concerns. After all, the significant media attention on the subject is due to its global relevance.
But one thing is clear — companies need to have a comprehensive overview of what personal information they retain and where their data processing and storage takes place.
Leveraging digital solutions like Penneo Sign and Penneo KYC to collect, manage, and sign documents allow companies to benefit from a high level of security and privacy.
Plus, Both Penneo Sign and Penneo KYC were built to meet the security and compliance needs of businesses operating in the EU.