In mid-July of this year, the European Union Court of Justice (CJEU) rendered the EU-US Privacy Shield invalid. It also found that the Privacy Shield’s transfer protocols did not meet the protection level mandated by EU laws.
What is the Privacy Shield? In short, it’s an agreement between the United States and the European Union that allows the transfer of personal data between citizens and companies while meeting the strict requirements of the GDPR. This is why if you need to transfer customer or business data between the EU to the US, this issue is of the utmost importance to you.
In this article, we will focus on the intention behind Privacy Shield invalidation, why the CJEU invalidated it, what this means for you, and steps you can take to steer clear of running afoul of the rule changes.
Privacy Shield invalidation, how did we get here?
The Privacy Shield invalidation is a cause directly related to the CJEU decision came on the heels of a legal battle in the Irish courts involving Mark Zuckerberg’s Facebook, the Irish Data Protection Commission, and Austrian activist and author Max Schrems. If your company trades data with EU companies, you will have to make some changes to adapt to the new rules.
DATA privacy regulation in the US today
In order to self-certify for Data privacy regulation in the US, the companies are required to send to the Department of Commerce certain pieces of information (such as their mailing address) and they’re also required to commit to honoring the seven principles of Privacy Shield.
These principles consist of the following:
- Notice
- Security
- Recourse, Enforcement, and Liability
- Choice
- Data Integrity and Purpose Limitation
- Access
- Accountability for Onward Transfer
Despite the aforementioned Privacy Shield protocols, the CJEU decided on July 16 that Privacy Shield failed to properly safeguard the personal information of EU citizens. The court expressed the following specific issues with Privacy Shield:
- Privacy Shield falls short of the EU’s General Data Protection Regulation (GDPR) in terms of guaranteeing the privacy rights of EU residents.
- US government surveillance regulations present certain concerns.
- Privacy Shield doesn’t include enough restrictions to prevent the personal data of EU results from being accessed and utilized by authorities in the US.
Current data protection laws in the US and EU
If your company transmits personal data to the US from the EU and doesn’t want to meet the Privacy Shield invalidation, you now have to implement some other kind of laws instead of current data protection laws and policies in response to the invalidated EU-US Privacy Shield. It’s often the case that companies are given a period of time to prepare for rule changes of this magnitude, but there has been no such moratorium or grace period in this particular case.
This is also why your company would be wise to hire a data analyst if you haven’t already. Learning about data fundamentals, assessing security measures pertaining to data privacy, and helping with issues relating to privacy compliance requirements are all critical elements of what a data analyst is supposed to do. Keep in mind that EU Data Protection Authorities have the right to begin investigating any alleged breaches right away. If their investigation finds that you’re in violation of the new policies, you could face punitive measures that include (but are not limited to) significant fines.
The current data protection laws in fact, for non-compliance GDPR, can net companies fines of as much as EUR 20 million, although the European Data Protection Board reported in a preliminary report that the average fine has been approximately EUR 66,000.
Something to be mindful of is that the EU has agreed upon various Standard Contractual Clauses (SCC) designed to regulate the transmission of personal data to nations that are not deemed to offer adequate protection protocols for the transmission of personal data. According to the CJEU, meanwhile, organizations are required to conduct an analysis to ascertain whether or not SCCs would afford enough of a safeguard for data transfers in the EU.
Of course, you can’t use just any alternative means to remain in compliance with the court ruling. Whatever alternative measures you use to transfer personal information must be protocols recognized and accepted by the GDPR.
The good news is that there are several such protocols that you can use to respect the current data protection laws. One is to develop a Maturity Action Plan (MAP) roadmap to help move you toward compliance. Another is to test your applications with Dynamic Application Security Testing (DAST), a key testing methodology that analyzes running applications to detect any security vulnerabilities.
You’ll also need to determine if your privacy protocols are strong enough to accommodate SCCs as an alternative means of EU data transfers. When it comes to envisioning the type of privacy protocols you need, it might help to think about privacy and security tools used in other areas of the enterprise.
Privacy Shield invalidation, how you can avoid problems
You’ll want to know about the Privacy Shield invalidation is what impact the court ruling may have on your business. Fortunately, there are things you can do to stay on the right side of the law so that you are unaffected by the CJEU ruling.
According to the GDPR, specifically in Article 14.f, organizations that wish to transfer information to recipients in other nations have to provide their users with the particulars on the location where the data is being processed and stored.
Despite this, a whopping 28% of all companies worldwide have still not even begun their preparations to be compliant. To avoid making this same mistake, first of all, it’s better to know and understand the current data protection laws, then you will need to start by knowing exactly where your information is processed and kept, and you will also need to let end-users know the precise whereabouts of the transfer if the information is transmitted outside the boundaries of the EU. You can then roll out an alternative transfer protocol so that your data is processed lawfully.
Conclusion
In this article, we will see what is the Privacy Shield invalidation, the Data privacy regulation in the US, and how to avoid the invalidation of Privacy Shield.
Whatever it’s no longer business as usual for companies whose business involves transferring data internationally. The CJEU ruling in mid-July will impact the analytics tools of companies in the marketing space. You’ll want to ensure your company is aware of the rules in order to be on the right side of the law and to avoid fines and other negative legal ramifications.
