GDT Webinar Series – How to Fail at Security? Reserve Your Spot

EU Nullifies Privacy Shield: Now What?

Security Shield

Until very recently, companies doing business with European member states were able to import EU residents’ data into the US under the EU-U.S. Privacy Shield. This agreement between the EU and the US allowed companies to self-certify that they had sufficient security controls in place to ensure the security and privacy of EU residents’ data. Several thousand companies, including a significant number of Small and Medium Businesses (SMBs), opted to take this route to allow them to consolidate sales and other data into centralized databases and data pools within the US.

However, on July 17, 2020, the EU Court of Justice nullified the EU-U.S. Privacy Shield Act. This revocation was based on several points:

  1. U.S. companies could not prevent the U.S. Government from obtaining corporate data for use by the intelligence community, often taking information in excess of what was permitted under General Data Protection Regulation (GDPR);
  2. The self-certification process could not ensure that companies were in fact providing security and privacy in accordance with GDPR requirements; and
  3. No mechanism exists to allow the EU to ensure such requirements are contractually bound in accordance with EU laws.

In its ruling, the Court left the Standard Contractual Clauses option in place, which may be used to establish formal agreements between companies and the EU regarding the safeguards in place to ensure EU residents’ privacy. However, it encouraged data protection authorities to ensure the enforcement of those clauses and, in the absence of an ability to enforce them, declare them null and void.

The use of Standard Contractual Clauses (SCCs) present a challenge for many companies in the US, since they were written almost entirely from the EU perspective, and require that companies ensure adherence to a set of security and privacy guidelines that may interfere with US government information requests. As a result, US companies have limited options when it comes to importing EU data into the US. Standard Contractual Clauses (the EU has two that may be used) and offer little room for negotiation. SCCs must be approved by data protection authorities or an EU court in the country from which the data is to be exported. As a result, SCCs can present problems for US companies seeking to import EU resident data.

Binding Corporate Rules (BCR) offer another means to allow the importation of data from the EU. However, they are equally rigid and must also be approved by the data protection authorities in the country from which data is to be transferred. If data from more than one country will be transferred, data protection authorities from each country must be involved in the approval process.

In the meantime, the German data protection authority has issued a ruling which states:

  1. The transfer of personal data to the US on the basis of Privacy Shield is not permitted and must be discontinued immediately.
  2. For a transfer of personal data to the US and other third countries, the existing standard contractual clauses of the European Commission basically continue to be used. However, the third country must not interfere with these additional safeguards in a way that impairs their actual effect.
  3. The judgments are also based on other guarantees under Article 46 GDPR Application like binding internal data protection regulations (BCR) on the basis of which a transfer of personal data to the USA and other third countries. Therefore, also for data transfers on the basis of BCR, supplementary measures are agreed, provided the rights of data subjects in the third country do not have the same level of protection as those in the Union enjoy.

In any case, US companies can expect that the EU data protection authorities will expect them to adhere closely, if not precisely, with GDPR requirements. Under these circumstances, attainment of GDPR compliance may be a US company’s best route to ensuring uninterrupted data flow. While the US Commerce Department has already begun negotiations with the EU for a replacement, it is not expected to be ready for several months, if ever. Given the current political tensions between the EU and the US, any interim agreement is likely to be protected, and may in fact not occur at all. The EU is taking its privacy requirements seriously, and companies who expect to continue to do business the EU should anticipate and plan for becoming GDPR compliant as a result.

GDT Advisory Services can provide companies with assistance in assessing their GDPR readiness through our EU-GDPR Readiness Assessment program and can provide guidance on preparing for and becoming GDPR compliant. In addition, our Compliance-as-a-Service program can provide your company with GDPR certified personnel to assist you on a part time or as needed basis with continued GDPR compliance, to help ensure you maintain your compliance with the Regulation on an ongoing basis. If you would like more information about GDPR readiness and compliance, contact me at paul.kendall@gdt.com. I’d love to hear from you.

Author

Share this article

You might also like:

Data is truly the lifeblood of business operations—as evidenced by the explosion of data, which is expected to swell from 120 zettabytes in 2023 to 180 zettabytes by 2025. The backbone of data center resiliency is secure, effective, high-performing data storage. Here’s how modern data storage solutions reinforce data center

Understand Software and Maintenance Overspend As anyone with visibility into business IT costs knows, it’s incredibly easy to overspend on software and maintenance without realizing it. The average organization uses upward of a hundred software applications. As a result, the asset portfolio becomes complex and disparate, driving up maintenance and

Robust, resilient data infrastructure is key to keeping your organization secure and avoiding the challenges that arise from data breaches or loss. But it isn’t just a risk mitigation strategy — a well-architected and well-maintained data center empowers your organization to move quickly, serve customers well, streamline processes, and keep