Europe’s top court, the Court of Justice of the European Union, recently struck down the EU-US data privacy arrangement known as Privacy Shield, which many organizations rely on when transferring data from the EU to the United States.
Privacy Shield was enacted in 2016 to replace the Safe Harbor Privacy Principles, which was declared invalid by the same court in 2015. In addition to replacing Safe Harbor, it aimed to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.
The Privacy Shield framework included:
- Strong data protection obligations on companies receiving personal data from the EU
- Safeguards on US government access to data
- Effective protection and redress for individuals
- An annual joint review by EU and US to monitor the correct application of the arrangement
This means that under GDPR (EU’s General Data Protection Regulation) Privacy Shield was intended to act as a safety mechanism ensuring that personal data transferred out of the EU for commercial purposes still received the same protection as it did while in the EU.
This certainly sounds like a good goal, and roughly 5,300 organizations (about 65% small-medium enterprises (SMEs) or start-ups) have self-certified under Privacy Shield since 2016. So, what went wrong?
Privacy Shield Declared Invalid
On July 16th, 2020, the Court of Justice of the European Union declared Privacy Shield invalid. What the court found were two major issues with Privacy Shield under GDPR.
1. The court found that U.S. privacy and surveillance laws “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law.”
This means U.S. agencies, like the NSA, have perceived excessive access to personal data transferred out of the EU that do not meet GDPR standards (i.e. not “essentially equivalent” to protections in the EU). Additionally, U.S. federal laws such as the Foreign Intelligence Surveillance Act don’t meet GDPR either.
So, the issue wasn’t how U.S. companies handled EU personal data, but rather perceived shortcomings of the U.S. federal government under Privacy Shield and GDPR.
2. Privacy Shield was intended to have an ombudsperson responsible for handling concerns and requests from data subjects in the EU regarding data transmitted from the EU to the U.S., as well as GDPR privacy right concerns.
The court found this mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law”.
Simply put, the ombudsperson didn’t have enough perceived authority to properly assist EU data subjects with bringing legal action to court regarding their personal data.
What Does This Mean for Organizations Using Privacy Shield?
Companies who use Privacy Shield for EU-US data transfers can no longer use this mechanism, as the framework is now illegal. However, there are two common alternatives to Privacy Shield.
Standard contractual clauses (SCCs) are contractual terms which both the sender and receiver of data agree to, which aim to ensure both parties are GDPR compliant when transferring data between the EU and another country (like the U.S.). Binding Corporate Rules (BCRs) can also be used in place of Privacy Shield, if SCCs don’t fit an organization’s needs.
In either case, these methods aren’t as easy to use as Privacy Shield. Companies exporting data from the EU must now conduct upfront analysis to determine if they can meet the legal requirements to protect data from U.S. surveillance. This is in direct conflict with the ruling that struck down Privacy Shield, which found issues with U.S. federal intelligence and surveillance agencies.
On top of this, the only way a U.S. company can use SCCs or BCRs is if they can legally guarantee “U.S. law does not impinge on the adequate level of protection” for transferred data. If this legal standard cannot be met or guaranteed, then all data transfers from the EU must be suspended.
There’s also no grace period. Organizations that previously used Privacy Shield must immediately switch to SCCs/BCRs or suspend data transfers from the EU. This puts most organizations in a tight spot, although larger companies such as Facebook and Microsoft already use SCCs.
In any case, organizations previously using Privacy Shield now need to reevaluate if their data transfer processes meet GDPR standards and notify the appropriate data watchdog per their data transfer mechanism of choice.
The European Data Protection Board (EDPB) also posted a FAQ regarding the Privacy Shield decision, which can be found here. Per this FAQ, GDPR Article 49 derogations may also be means for completing certain data transfers.
Moving Forward Without Privacy Shield
The revocation of Privacy Shield creates a lot more work for U.S. companies that transfer personal data from the EU.
One would expect the U.S. Department of Commerce, the European Commission, and the European Data Protection Board (EDPB) to negotiate a new framework for data transfers that meets GDPR and EU privacy standards. However, nothing has been announced yet.
As of July 2020, there’s no simple solution given the state of how the EU perceives U.S. federal intelligence and surveillance and how that violates GDPR compliance.
How Stealthbits Can Help
The most common path forward, until another framework is put in place, is to use the aforementioned SCCs to transfer data from the EU to the U.S. Since these are contractual agreements between the sender and receiver of data, U.S. organizations participating in them will need to audit their data processes to make sure they meet GDPR standards.
To ensure this, data access governance technology is especially helpful. As a full-fledged data access governance solution, Stealthbits helps organizations with:
Host Discovery: Identify the different platforms within your network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s data privacy footprint.
Sensitive Data Discovery: Capabilities that analyze structured and unstructured content for patterns or keywords that match built-in or customized criteria related to customer privacy and personally identifiable information (PII).
Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with GDPR, SCC agreements, and a myriad of other regulatory standards.
Stealthbits can identify the personal data that your organization stores, determine who has access to it, track what is done with that data, protect that data, and provide reporting workflows for internal use as well as official data audits.
Learn more about how Stealthbits can help with various compliance regulations and auditing here.
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.