On the 26th of July, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US agreement known as Privacy Shield as it failed to protect EU citizens’ rights in accordance with the GDPR. This is the latest development in the long-running battle between Facebook and privacy advocate, Max Schrems.
This ruling impacts any data that flows outside the EU. We are talking about 7.1 trillion transatlantic economic relationships and 5,300 organizations that are currently Privacy Shield participants. Thousands of companies will now be forced to drastically change the way they trade data across the Atlantic. At the same time, this is a milestone in reinforcing the EU's commitment to protecting its citizens’ data – as well as a prominent example of how the GDPR’s influence extends well beyond the EU.
What is Privacy Shield Framework?
Privacy Shield Framework is a data-sharing protocol approved by the EU and the US for permitting transatlantic transfers of personal data, provided that the US recipient has achieved high-level security measures which replicate the EU’s privacy laws. To be certified under Privacy Shield, US-based organizations have to raise the bar above the data protection standards required under Federal laws and provide GDPR-like protection of personal information.
What did Privacy Shield replace?
Privacy Shield replaced a previous framework, Safe Harbor, whose validity was challenged back in 2015 by data privacy campaigner, Maximilian Schrems. Many controversies surrounded international data transfers between Europe and the US. The legal action Schrems launched against Facebook Ireland was probably the most effective of such disputes.
What was the purpose of Privacy Shield?
Personal data flows from the EU to non-EU countries are prohibited under the GDPR unless certain safeguards are put in place to ensure adequate data protection. This is where Privacy Shield came into play. The framework was approved by both US and EU governments to allow secure personal data transfers overseas.
Why was Privacy Shield invalidated?
A period of tranquillity began after Privacy Shield passed its second annual review by the European Commission. However, Schrems filed a second case in 2018 and the new transfer mechanism headed towards the same fate as Safe Harbor.
The privacy activist initially questioned the validity of the Standard Contractual Clauses (SCCs), which are used as an alternative mechanism for enabling data flows from the EU to third countries. The matter was subsequently referred to the European Court, which separately argued that Privacy Shield was failing to properly protect EU citizens.
Skepticism over the validity of Privacy Shield was raised around the ability of NSA and other US law enforcement agencies to access much more data than what was strictly necessary – which is not compatible with the GDPR. This led the CJEU to abolish Privacy Shield on the grounds that US policies prioritize national interests over the rights and freedoms of EU data subjects and do not offer them comparable protection as is provided in the EU.
Long story short, Privacy Shield is no longer a valid lawful basis for personal data transfers from the EU to the United States.
How can you ensure compliance in EU-US data transfers going forward?
If your business relies on global transfers of personal data, you must either stop your transfers or adopt a different GDPR-approved mechanism to ensure and maintain compliance.
1. Standard Contractual Clauses (SCCs)
This is the most effective and readily available option. To continue personal data transfers to countries outside the EU, put Standard Contractual Clauses in place between your business and the US-based organization you plan to transfer data to.
However, the Court stressed that data exporters relying on SCCs are required
to verify, on a case-by-case basis that the transferred data will have the same levels of protection as within the EU. Companies cannot just sign the SCCs; they also need to check if they can comply with them in practice.
This may only be a short-term solution since scrutiny of the SCCs has never been higher. For the time being, the transfer method is still valid. However, the judgment casts doubt over its reliability as a long-term mechanism for transatlantic data transfers.
2. Review your network of vendor relationships
The decision also affects businesses established in the European Union that engage non-EU-based vendors as service providers. If you feed personal data into external software that processes or stores it in the US, you must map your data flows and take measures to ensure compliance. A good starting point is to verify whether the software vendors offer data residency options and choose which country the data is to be stored in.
3. Binding Corporate Rules (BCRs)
No questions have been raised about the validity of Binding Corporate Rules. These are pre-approved internal policies and terms that can be implemented by multinational companies regarding intra-organizational data transfers. Therefore, BCRs remain a feasible GDPR-compliant method to enable cross-border data flows. However, this solution is only available for international organizations.
4. Remodel your data flows
You can also restructure your data flows, so no personal data is transferred to the US. It might sound like a troublesome and costly process, but it could be beneficial in the long run.
5. Collect explicit consent for each transfer
Necessary data flows are still legal under Art. 49 of the GDPR. As long as users consent to their personal data being transferred abroad, the transfer is legitimate. Its lawful basis is the informed consent of the data subject.
The same goes for the admissibility of cross-border data sharing that is
necessary to fulfill a contract. In other words, crucially necessary data flows can be still undertaken. The US is now only deprived of its special access to EU data in the same way that most other third countries are.
What does the invalidation of Privacy Shield mean for Penneo customers?
If you use Penneo to manage your documents and data, you don't need to be concerned about the Privacy Shield invalidation as we do not transfer personal data outside the EU. Our IT systems and websites are hosted on locations within the EU (Germany and Ireland) by the market-leading cloud infrastructure Amazon Web Services (AWS). AWS is a highly secure global data center that maintains the greatest levels of compliance.
Bottom line – the devil’s in the data
The Privacy Shield invalidation has left legal departments wondering how they can ensure consistency and reliability in their level of compliance. The ongoing nature of the issue increases uncertainty and concerns. After all, the significant media attention on the subject is due to its global relevance, as the actual impact on the economies of major data hubs and the use of service providers outside of the EU remains to unfold.
A worthwhile takeaway might be highlighting the need for any company to have an overview of what personal information is being retained and where the data processing and storage take place. Leveraging digital solutions like Penneo to manage documents and data allows companies to benefit from a high level of comfort regarding security and privacy. Our product is purpose-built to meet the needs of even the most compliance-conscious customers, who trust us with keeping their sensitive information safe and confidential.