Invalid Privacy Shield – What is at Stake?

The Court of Justice of the European Union “CJEU” on July 16 invalidated the  EU–U.S. Privacy Shield. The use of data transfer methods, in particular between the European Union and the United States is questioned. In 2000, the EC put in place an adequacy mechanism known as the “Safe Harbour” for personal data transfers to the U.S. It was invalidated by the CJEU in 2015 due in large part to U.S. surveillance practices that arose in the wake of 9/11. It was replaced in 2016 by the Privacy Shield, which aimed to address the concerns that the CJEU outlined in its Schrems I judgment. The Court also looked at SCCs. While the CJEU did not invalidate this mechanism, it did underline that it is up to the exporting and importing organizations to verify that the legal system of the country where the recipient organization resides provides sufficient safeguards.

Under Privacy Shield, U.S. companies guaranteed that they would meet seven principles when handling EU-governed personal data, which included:

  • Notice: Individuals must be notified about the collection and use of their personal information.
  • Choice: Organizations must give individuals the opportunity to opt-out of the disclosure of their personal data to third parties.
  • Accountability for Onward Transfers: Organizations are accountable for applying the notice and choice principles in order to disclose personal data to third parties.
  • Access: Individuals must be able to access their personal data being stored by an organization.
  • Security: Organizations must protect personal data from loss, misuse, unauthorized access, and disclosure.
  • Data Integrity: Organizations must ensure data is reliable and relevant for the purpose it is being used.
  • Recourse, Enforcement, and Liability: Individuals have the right to affordable recourse mechanisms if they believe their personal data has been misused.

Privacy Shield framework governing the transfer of personal data from Europe to the United States is no longer valid. This ruling is very similar to a ruling five years ago that similarly undid the predecessor to the Privacy Shield framework, the Safe Harbor. The thinking in both of these decisions (nicknamed Schrems I and Schrems II after the plaintiff) is that, because surveillance is such a consistent part of American life, and because the government has such easy access to data from large companies and their affiliates, the likelihood that European personal data would be protected and/or only utilized in ways that were understood was fairly low.

Although Privacy Shield was invalidated, SCCs are still permitted for the transfer of EU personal data outside of the EU. However, these clauses are merely a data transfer tool, so organizations must ensure, prior to any data transfers, that there is an adequate level of protection against U.S. government surveillance. The CJEU also emphasized three stakeholder obligations:

  1. Data exporters are responsible for verifying the importer’s ability to provide an equivalent level of data protection in the third country.
  2. Data importers must notify exporters if they are unable to comply with the SCCs.
  3. Data exporters must suspend or terminate the transfer if the importer gives notice that they cannot comply with the SCCs.

In order to determine which new data transfer mechanism should replace Privacy Shield, you need to understand how your company collects, stores use, and transfers data. Implementing a robust data governance strategy can help your organization build processes and policies for managing data, evaluating third parties, and even monitoring regulatory change. With the help of the NIST Privacy Framework, your organization can improve its approach to using and protecting personal data and determine which data transfer mechanism aligns best with your organization’s business needs.

The first and most important thing to do is, if you were a company previously certified under Privacy Shield, to identify every contract and every relationship that involves the transfer of personal data from the European Union to the United States. If all the data that you’re transferring is transactional, for instance, and doesn’t touch on anything that could be considered personal data, Schrems II isn’t really going to have much of an effect on you. But most businesses do collect some form of personal data, even if it’s only the business address and contact information of their partners. In that case, once you’ve identified which relationships are a source of data from European citizens, you have to review your agreements and determine whether you want to continue to receive that data and, if so, how the SCCs could be implemented. Because many data relationships are bilateral both in benefit and cost, partners may be willing to work with you to rapidly ensure that no interruption in business occurs. But there will always be some instances where this opportunity for leverage to renegotiate a deal won’t be missed.

With FileCloud Online you have the option to host in secure, world-class data centers. Data storage is available in the region of your choice: US, EU, Canada, Australia, APAC, and SE Asia to meet data residency requirements. Also, with FileCloud On-Premise you can use your existing infrastructure to store and share data abiding by EU data protection laws.