Archive & Data Protection

    EU-U.S. Data Privacy Shield is Invalidated: Now What?

    With the EU-U.S. Privacy Shield for data transfers up in the air, companies worldwide face a shifting and confusing privacy landscape full of unknowns.

    by Karen Lynch

    Key Points

    • Europe’s top court recently invalidated a key rule governing the flow of data between the EU and U.S.
    • The surprise Privacy Shield ruling has once again upset the playing field for U.S. digital businesses that collect and store Europeans’ personal information.
    • Developments since the July ruling raise more questions than they answer about meeting Europe’s requirements for data privacy.

    Companies everywhere uttered a collective “Now what?” after the latest data privacy agreement between the European Union and U.S. was recently struck down. When Europe’s highest court invalidated the EU-U.S. Privacy Shield Framework in July,[i] it reshuffled the deck of known knowns, known unknowns, and unknown unknowns surrounding the trans-Atlantic flow of customers’ and employees’ personal information.

    But even with the rules in flux, there appears to be no letup in governmental pressure to comply, on either side of the Atlantic. And storage of email data may top the list of companies’ concerns, since it’s among many organizations’ largest repositories of personal information.

    The current wave of uncertainty includes questions about which mechanisms can now be used to keep transferring personal information in the absence of the Privacy Shield. For example, other data safeguards, such as EU-authorized “standard contractual clauses,” remain viable—that is, under stricter conditions and in the face of possible challenges by individual European countries. Companies also wonder what EU and U.S. policymakers might negotiate next and whether an American data privacy policy will emerge that would shore up—or erode—trans-Atlantic data trust.

    For many companies, handling Europeans’ personal information requires ensuring compliance by their own partners—third-party data processing and cloud service vendors who actually implement the required safeguards. “Companies navigating this need to be acutely aware of what does and doesn’t happen in their partners’ operations and supply chains,” said Mark Bilbe, U.S. Chief of Staff, Mimecast.

    Businesses also have to ensure that their own systems comply. And even beyond the surprise EU Privacy Shield ruling, all organizations are contending with a broader landscape of mismatched and continually shifting data privacy policies in jurisdictions across the world.

    Privacy Shield Decision, in Brief

    Two related developments coincided in 2016: Europe’s adoption of the General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield agreement. The GDPR requires commercial organizations to protect the personal information of European citizens, even outside of Europe. The Privacy Shield focuses on European data handled and stored in the U.S., where European policymakers view data privacy rules to be inadequate, especially given national security surveillance. Several other countries’ rules have been EU-approved as adequate. But a separate arrangement had to be set up for the U.S. That’s how the Privacy Shield came to replace the U.S.-EU Safe Harbor Framework, a prior data privacy agreement that collapsed in 2015.

    Under the Privacy Shield, companies could annually self-certify their public commitment to operationally uphold certain principles for protecting personal data, subject to enforcement. Among these principles are individual choice regarding the use of personal data—which triggered all those opt-out pop-ups on websites you visit. Over 5,000 American companies and U.S. subsidiaries of European businesses have self-certified,[ii] covering themselves and tens of thousands of partner and customer organizations.[iii]

    But now the Privacy Shield is dead—or is it? Let’s look at developments and analysis since the July ruling.

    Privacy Shield Future

    Known Known: The U.S. Commerce Department has made it clear that companies should continue to self-certify.[iv]

    Known Unknown: Why continue? A joint U.S.-EU statement has promised discussions on an “enhanced” Privacy Shield,[v] and Commerce will keep administering the program while talks continue. Observers have expressed skepticism about the outcome of these discussions, though, and whether any new arrangement could withstand inevitable legal challenges.

    EU-U.S. Data Privacy Alternatives

    Known Knowns: Alternatives to the Privacy Shield include the standard contract clauses mentioned above and two other types of agreements: binding corporate rules and individual consent. Many data processers and cloud service providers were already proactively managing compliance risk prior to the court’s decision, by using both the Privacy Shield and standard contractual clauses, while others are now catching up. The two other options are both felt to be difficult to implement. Another alternative is setting up European hubs.

    Known Unknowns: When the court upheld standard contract clauses, it also tightened their requirements but gave no grace period for meeting them. Then, almost immediately, enforcement activities in Ireland appeared to call the clauses’ validity into question.[vi] And at least in Germany, regulators left the door open to further challenges.[vii] Another question mark hovers over the UK, where many non-EU companies have data hubs. Britain’s exit from the EU is imminent, and European officials have questioned the adequacy of the country’s data privacy protections.[viii] Meanwhile, some observers are predicting that the Europeans will rewrite the clauses, which are now several years old.[ix]

    U.S. Data Privacy Policy

    Known Knowns: In the U.S., data privacy policy has proceeded mostly at the state level, led by a GDPR-like California Consumer Privacy Act (CCPA), and through sectoral rules, such as the Health Insurance Portability and Accountability Act of 1996. There’s no overarching federal data privacy law, though bills have been introduced over the years.

    Known Unknowns: It is yet to be seen whether federal legislation could be passed and then whether the new law would mitigate or aggravate trans-Atlantic data flow issues. For instance, one bill that has been introduced, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), would make the overseas servers of U.S. companies subject to security surveillance.[x] But the Consumer Data Privacy and Security Act of 2020[xi] mirrors provisions in the GDPR and CCPA. And there are more. Also casting a big shadow: the 2020 U.S. election.

    How to Stay Compliant in Changing Times

    Time-tested tips for ongoing and new privacy compliance challenges include:

    • Know your data. Look across all data systems and services to understand how much personal information you are collecting and storing on European citizens.
    • Only collect and store data you need.
    • Disclose what you’re collecting and how you intend to use it.
    • Give individuals the chance to opt out.
    • Check your data processing and cloud service providers’ policies and practices, including their management of their own vendors. Some—including Mimecast—post details and data privacy agreements they’ll sign with you.
    • Ask how your vendors are adjusting to the latest rules changes, as they unfold. Keep in mind that regulators usually hold you responsible for your vendors’ handling of your customers’ and employees’ personal information.
    • Include all of this in a strategy that also inventories data transfers falling under the Privacy Shield, along with the compliance mechanisms that you and your partners have put in place.
    • Document every step, for compliance purposes.

    The Bottom Line

    Email is not just a communication platform, but one of the biggest repositories of personal information that any organization holds. So email privacy is a paramount issue. It’s also a moving target right now in the wake of the surprise invalidation of the EU Privacy Shield law. Companies everywhere should have monitoring and contingency plans in place to adapt to the latest change and anticipate the next. In the weeks ahead, we’ll be writing about privacy rules

    [i] “The Court of Justice invalidates Decision 2016/1250 on the Adequacy of the Protection Provided by the EU-US Data Protection Shield,” Court of Justice of the European Union

    [ii] “Privacy Shield List,” U.S. Department of Commerce

    [iii] Letter to U.S. Commerce Secretary Wilbur Ross, from a coalition of American trade associations

    [iv] “FAQs—EU-U.S. Privacy Shield Program Update,” U.S. Department of Commerce

    [v] “Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders,” U.S. Department of Commerce

    [vi] “Securing the Long Term Stability of Cross-Border Data Flows,” Facebook

    [vii] “Press Release of the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments,” German Data Protection Authorities

    [viii] Letter to European Parliament, European Data Protection Board

    [ix] “Privacy Shield Is Dead. Now What?”, Deloitte

    [x] “HR 4943—Cloud Act,” U.S. Congress

    [xi] “S 3456—Consumer Data Privacy and Security Act of 2020,” U.S. Congress


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top