The end of Privacy Shield: What does it mean?

On July 16th, The European Court of Justice (ECJ) declared that a key data sharing mechanism, the EU-US Privacy Shield, was invalid as they concluded that it fails to protect people’s rights to privacy and data protection. The historic decision will have considerable consequences and be a major headache for thousands of companies who exchange data with the US currently.

When valid, the EU-US Privacy Shield permitted unrestricted personal data transfers from the EU to US-based companies. Online activities such as using Gmail and Google Drive, video calling on Zoom or Teams, or running CRM reports on Salesforce are all enabled by the Privacy Shield. US technology companies prefer streamlining data processing to fewer data centres and most small businesses use US-based cloud tech giants such as AWS and Microsoft – hence the large volumes of data flowing between the EU and US.

The ECJ’s ruling is complex and forces the European Commission to put in place more safeguards to ensure that European data is properly protected when handled and processed by US companies. To understand the ruling properly however, we need to jump back to Max Schrems battle with Facebook in 2013. The Charter of Fundamental Rights of the European Union made it compulsory that ‘every citizen in the EU has a right to have their data processed fairly, with their consent, and for specified purposes’. Yet, if a US-based company is sending the data of an EU citizen’s back to America, there is a greater risk that the NSA (US National Security Agency) can get access to that data. Edward Snowden, a former NSA contractor, shed light on this when he disclosed that the PRISM programme gave the NSA full access to data from major US technology companies such as Google, Microsoft, Facebook and Apple. Therefore, the battle of Schrems argued how he felt that Facebook was aiding the NSA’s mass surveillance of EU citizens.

As the European headquarters of Facebook was based in Ireland, Schrems made his complaint to the Irish Data Protection Commission. His initial complaint was dismissed, so he appealed it to the country’s High Court of Justice which referred it to the ECJ. Following inquiries, Safe Harbour, a 15-year agreement regulating data transfers between the EU and the US was discovered to be inadequate in ensuring proper security of EU citizens’ data and was thus demolished by the end of 2015.

The invalidation of Safe Harbour meant that many US companies had to turn to a new EU-approved template for data transfers to the US called standard contractual clauses (SCC). It also meant that a new framework for data transmission was developed to replace Safe Harbour called the Privacy Shield. As Facebook and other companies were using the SCCs to transfer data to the US, Schrems made another complaint. And although the Privacy Shield was not directly part of this, the Irish Court’s made a request to pull it into the case as they believed it was equally incompatible with EU data protection regulations. As a result, the Privacy Shield was ruled invalid, but the SCCs remained valid.

As organisations can still use the SCCs, Privacy Shield’s invalidation is not a disaster. However, it will be an expensive, complex and legal exercise for many who do need to move over to this template and have thousands of new contracts signed. For start-ups and SMEs who do not have the budget or manpower to complete what is required, this can prove to be threatening.

Moreover, since the SCC are being looked upon as a long-term mechanism by organisations for EU-US data transfers, judges are requesting that data exporters prove that the data will have equivalent protection as within the EU, before it is able to be transferred to the US.

In the long run, there is no question that the SCCs will come under scrutiny once again with activists forcefully pursuing cases. Therefore, without the Privacy Shield, significant disruption to EU-US data flows in the future is very possible.

What does that mean for public cloud sharing of data?

  • Understand carefully how public cloud vendors such as Google and AWS use your data
  • Read data protection policies
  • Expand use of private cloud where you can

At Serval IT Systems and across the entrust IT Group, we have spoken openly about our concerns of the Privacy Shield and the uncertainty surrounding major US cloud-based services such as Microsoft 365 with GDPR. This is why we are particularly careful about proposing to our customer’s public cloud SaaS solutions.

Please get in touch for more information.