On July 16, the European Union’s top court overturned the 2016 Privacy Shield agreement that allowed data sharing of EU users with US companies, citing companies’ inability to protect European users from surveillance by US intelligence.
The European Court of Justice (ECJ) struck down the transatlantic transfers after Max Schrems, the privacy advocate behind the case, argued the US lacks a comprehensive, GDPR-style federal privacy law that would safeguard EU users.
So what does this mean for the more than 5K companies that rely on Privacy Shield for GDPR-compliant data transfers?
Please note: This article is for informational purposes only. Please seek legal counsel to determine how the Privacy Shield ruling affects your business.
From the EU’s standpoint, Privacy Shield has ended and there is no grace period for the US companies left wondering how to ensure GDPR compliance for the bulk processing of EU user data they currently outsource.
Individual data transfers — those necessary for companies to maintain user expectations (e.g., booking a flight on Expedia, sending a message via Gmail, website personalization on Amazon, etc.) and for which users have granted consent — can most likely continue under the GDPR’s ‘legitimate interest’ clause.
The European Data Protection Board (EDPB) has issued FAQ for EU companies that address many of the most pressing questions shared by US companies. The US Department of Commerce has also published an updated FAQ to its Privacy Shield Framework.
Jodi Daniels helps us view these through a publisher lens and offers actionable next steps:
Publishers should maintain their current Privacy Shield protocols for a few reasons:
Yes, you should rely on your Standard Contractual Clauses and make sure you can meet all of the criteria outlined in them.
"There are concerns that data protection authorities may have different requirements for SCCs moving forward, so companies should seek legal advice to ensure their SCCs are completed correctly."Jodi Daniels
AWS and other data processors have oodles of customers relying on them, so they’ll also need to rely on their SCCs to continue doing business with you.
I don't think there's an advantage if you’re small or large; any company that is transferring data from EU users is going to be at risk. The volume of EU data transfers is more indicative of that risk than company size.
As a data processor, Kevel and other tech vendors are also affected by the Privacy Shield ruling. Principal Product Manager Larry Karnowski has reviewed the SCCs in Kevel’s Data Processing Agreements (DPAs) and ensured customers that Privacy Shield protocols will be maintained. It’s important that every company have a documented, legal way to transfer data outside of the EU or risk steep GDPR fines.
"I strongly recommend that EU and US companies review your agreements with all vendors and customers. Make sure all your up- and downstream Data Processing Agreements include valid SCCs. Also, now is a great time to clean house on the data you are collecting and transferring."Larry Karnowski
While we anticipate major pushback from US companies in the coming weeks, it’s hard to predict how the EU might respond, given what they see as a final decision.
Some in our industry predict a data privacy trade war; others, like Jodi Daniels, predict this is another push towards a federal US privacy law on par with the GDPR.
“This could be where large companies — with the large budgets to manage the legal fees — could have an advantage, as without Privacy Shield, moving data across borders is neither ideal nor efficient.” Jodi adds, “I’m hopeful that the leading multinational companies relying on Privacy Shield can move us towards a more meaningful national privacy law, so the EU sees the US more favorably, like our Canadian neighbors to the north.”
We’ll continue to follow this story and share updates as they become available.
Jodi Daniels is the founder and CEO of Red Clover Advisors, a boutique privacy consultancy that helps companies build customer trust while complying with global privacy laws such as GDPR and CCPA.
Larry Karnowski is a Principal Product Manager at Kevel, a suite of APIs that make it easy to build custom ad servers.
Thanks to Jodi and Larry for sharing their insights and expertise.
Jane is the Product Marketing Manager at Kevel. She enjoys discovering user-first ad platforms and articulating the value of Kevel's ad serving APIs.