It’s Time To Say Goodbye To The EU-US Privacy Shield
July 2020 by Enza Iannopollo, Senior Analyst, Forrester
In 2000, the European Commission (EC) introduced Safe Harbor. It was a principles-based, voluntary framework to allow companies to transfer personal data of European residents to the US. And Austrian law student Maximilian Schrems took Facebook to court claiming that once his data reached US soil, privacy protection faded. Five years later, the European Court of Justice (ECJ) declared Safe Harbor invalid. To replace it, the EC issued the EU-US Privacy Shield. The new framework was supposed to provide additional protection to EU citizens’ data with the creation of new safeguards, such as the Data Protection Ombudsman, and the “promise” that US surveillance would be limited. Today, the ECJ decided that these expectations have not been met and invalidated the privacy shield.
About 5,000 companies currently rely on the framework to transfer personal data to the US, and these transfers contribute to transatlantic trade, which is worth about £5.6 trillion. To keep these vital transfers flowing while complying with the ECJ’s ruling, security and risk (S&R) pros must take these steps:
Map out your data transfers today. S&R pros must start mapping out their data transfers today to understand which transfers are impacted.
Assess alternatives and adopt standard contract clauses (SCCs) with caution. SCCs have become the go-to strategy for most companies, and the ECJ affirmed their validity. But, experts expect the EC to adopt an updated version of SCCs soon.
Review your third parties’ data flows and contracts. First, remediate any problems with data transfers that involve cloud providers. This is the time to find out where they’re actually keeping your data and respond accordingly.
Assess changes to data transfers from Europe to countries beyond the US. More changes are likely. For example, European data protection authorities can stop transfers under SCCs if they don’t believe they offer adequate protections. Thus, companies must examine not only which data transfers are happening but also how business-critical they are, and start planning for the future.
Green-light transfers to “adequate countries.” Currently, the EC has recognized 12 countries as adequate from a data protection perspective. If you transfer data to one of them, no further red tape is required.