Note: The situation around Privacy Shield and EU-US data transfers is evolving fast. We’ll update this article with any breaking changes
Privacy Shield is no longer a valid legal framework for transferring data from the EU and Switzerland to the US.
The invalidation of Privacy Shield has caused an uproar on both sides of the Atlantic, but data hasn’t stopped flowing. Large tech companies such as Google still send heaps of data about EU residents to the US.
So what does this really mean for companies that want to transfer data? What has changed?
The background for the invalidation of Privacy Shield
What is Privacy Shield?
The EU, the US and Switzerland created Privacy Shield to regulate data transfers from the EU and Switzerland to the US (EU-US data transfers, for short). On July 16 the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield. On September 8 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland did the same.
The US Department of Commerce oversees the program. Organizations could submit information online, such as their privacy policies, and pay a small fee to be added to the framework. The idea was to create a simpler mechanism than creating SCCs and BCRs for each partner and type of data transfer.
Over 5300 companies have signed up to the Privacy Shield program since its creation in July 2016.
Privacy Shield was created to replace the International Safe Harbor Privacy Principles. Safe Harbor, for short, was invalidated by the CJEU in October 2015.
What is Safe Harbor?
Safe Harbor was a legal framework that served the same function as Privacy Shield. The EU had issued the Data Protection Directive in 1995, so regulators decided that something was needed to ensure that companies transferring data to the US adhered to the EU principles.
Starting in July 2000, US companies could sign up to the Safe Harbor principles, which would then allow them to transfer personal data about EU residents to the US.
Why were Privacy Shield and Safe Harbor invalidated?
Both were ruled invalid in cases brought by privacy rights advocate Max Schrems.
The exact reasons fill 100s of pages of legal opinions. The short answer: European courts ruled American protections of personal data to be insufficient.
Read more about the legal meaning of personal data in this article: What Is PII, non-PII, and personal data?
Put another way, there is a mismatch between data privacy regulations in the EU and in the US. EU courts viewed this gap to be too large to cover with a general agreement such as Privacy Shield or Safe Harbor.
The problem is not new. Since the creation of Privacy Shield, there have been rumors that it will be invalidated for this or that reason. The case that finally finished the job is usually referred to as Schrems II. The case originally targeted SCCs used by Facebook, but the court decided to focus its attention on Privacy Shield instead.
What’s more, the CJEU specifically mentioned in their ruling on Schrems II that SCCs are still a valid way for companies to justify data transfers. At the same time, they noted that DPAs and courts will evaluate the SCCs on a case-by-case basis to make sure proper privacy protections are in place.
The new practical realities of EU-US data transfers
First a disclaimer: Piwik PRO sells software, we don’t give legal advice. The technical aspects are important, and we have a lot to say about them. But many of the issues around international data transfers will be resolved in court rooms. Whatever you do, you should seek professional legal counsel in addition to making the right technical decisions.
What is the current status of EU-US data transfers?
Privacy Shield is no longer a valid legal justification for EU-US data transfers. Companies now tend to rely on their own standard contractual clauses (SCC) and binding corporate rules (BCR).
Any legal justification still needs to show compliance with the EU’s General Data Protection Regulation (GDPR).
What is the practical effect on my company?
EU-US transfers of personal data could be riskier, depending on how you handle personal data.
We don’t know how much riskier just yet. SCCs and BCRs still allow for data transfers but EU data protection authorities (DPA) and courts will evaluate them on an individual basis.
Privacy Shield covered thousands of companies, including giants such as Facebook and Google. That group insurance policy, so to speak, has disappeared. Individual companies are at higher risk of legal action from consumers, consumer rights groups and DPAs.
What can my company do to minimize the risk?
Fully control your data. Understand what kind of data you collect, store and transfer. Also understand how and when it moves from place to place.
Cloud software services are wonderful. But many vendors aren’t transparent about how they handle personal data. Work with transparent partners that give you maximum flexibility for how you handle data from their services. This should include where the data is stored at rest, how it is replicated across data centers and when a EU-US data transfer can occur, such as for disaster recovery.
It’s a good idea to work with those that support principles such as privacy by design and data minimization. Following these principles will help you deal with less personal data, minimizing your risk. Keep in mind that the main issue around Privacy Shield and GDPR is personal data. Anonymous data that can’t identify an individual isn’t affected by the recent invalidation of Privacy Shield.
Read more about how to best collect consents in this article: How to obtain consent and collect data under CNIL guidance and GDPR
These principles include asking for explicit consent from data subjects, the people companies collect data about. If you get explicit consent for transfers to other countries, then the invalidation of Privacy Shield doesn’t affect you. Just also make sure those consents don’t use opt-in by default and aren’t hidden in long user agreements full of legal jargon.
Who processes data and where is also important. You will minimize risk if personal, and especially sensitive, data is processed by partners headquartered in the EU as opposed to the US.
How quickly does my company need to react to these changes?
For the moment, there is a constant, low level of risk for those who don’t have their data house in order. That risk will only grow.
Data privacy regulations are becoming more common. Gartner estimates that by 2023, 65% of the world’s population will have their personal data protected by some kind of modern regulation.
In the EU, where the GDPR has been in force since May 2018, the number of fines has been increasing.
There are already many legal complaints probing the compliance of SCCs adopted by Google and Facebook in the wake of the Privacy Shield decision. More legal action of this kind is likely.
These trends were present well before this latest ruling. DPAs have been steadily announcing detailed policies for fines and enforcement:
- Details about GDPR fines in Germany released in October 2019
- Details about GDPR fines in the Netherlands (in Dutch) released in March 2019
- New guidelines about processing personal data online in Denmark (in Danish) released in February of 2020
Two years after GDPR came into force, the legal wheels are turning and gathering momentum. The invalidation of Privacy Shield is just one more signal pointing to the bigger trend of increased enforcement.
The future of EU-US data transfers
The fact that there have already been two similar frameworks for data transfers hints at the possibility of a third. EU and US officials announced talks to find a new agreement. Some predict a new agreement similar to Privacy Shield will be in place before the end of the year. Despite such optimism, predicting what happens in the near future is tricky.
International data transfers fall under the general category of international trade. Since international trade is subject to political forces of all kinds, the same is true for data transfers. It could depend on everything from the state of the COVID-19 pandemic to the results of the American elections in November.
That said, there are two larger trends worth paying attention to.
Borders between internets
The internet used to be an unregulated space. That is less true with every passing day. Regulations on everything from ecommerce sales tax to where personal data needs to be stored are becoming more common. As this has happened, different countries have come up with different legal methods of regulating the internet.
Those differences lead to problems like the one between the EU and the US right now. There will be political and diplomatic solutions to only some of those problems.
However, the future of EU-US data transfers is bright. More factors unite the US and the EU than separate them, both legally and culturally speaking.
Other countries, however, aren’t moving in the same direction with respect to data privacy. With these countries, it’s possible that we’ll see more borders thrown up between increasingly isolated parts of the internet.
Unification of data privacy regulations
EU and US regulations are likely to evolve in a similar direction. Many US states have already implemented data privacy regulations that inherit many ideas from the GDPR.
This unification will eventually make data transfers easier. But it won’t be because standards are lower. To the contrary, standards will most likely rise closer and closer to the standard set by laws such as the GDPR. So while we expect EU-US transfers eventually become easier, individual companies will be held to higher standards.
If you’d like to discuss the technical challenges you’re having with data residency, personal data collection or GDPR compliance, be sure to get in touch.