On July 16th, The European Court of Justice (ECJ) officially declared that the EU-US Privacy Shield, a key data sharing mechanism, is invalid as they believe it fails to protect people’s rights to privacy and data protection. The historic decision will have substantial consequences and be a major headache for thousands of organisations that already exchange data with the US.
When valid, the EU-US Privacy Shield permitted unrestricted personal data transfers from the EU to US based organisations. Business activities such as using Gmail and Google Drive, video calling on Zoom or Teams, or running CRM reports on Salesforce are all enabled by the Privacy Shield. US technology organisations favour streamlining their data processing to fewer data centres, and most small businesses use US-based cloud tech giants such as AWS and Microsoft - hence the large volume of data flowing between the EU and the US.
The ruling handed down by the ECJ is complex and forces the European Commission to introduce more safeguards so that European data is protected properly when handled and processed by US companies. To understand the ruling properly however, you need to go back to Max Schrems battle with Facebook in 2013. The Charter of Fundamental Rights of the European Union made it compulsory that ‘every citizen in the EU has a right to have their data processed fairly, with their consent, and for specified purposes’. Yet, if a US based organisation is sending an EU citizen’s data back to America, there is a high risk that the NSA (US National Security Agency) can get access to that data. Former NSA contractor Edward Snowden shed light on this when he released that the PRISM programme gave the NSA complete access to the data from major US tech firms such as Google, Microsoft, Facebook and Apple. Schrems battle was therefore arguing how he felt Facebook was aiding the mass surveillance of EU citizens by the NSA.
Schrems made his compliant to the Irish Data Protection Commission due to the European headquarters of Facebook being based there. His initial complaint was rejected, so he took it further to the country’s High Court who referred it onto the ECJ. After being investigated it was discovered that Safe Harbour, a 15-year-old agreement regulating data transfers between the EU and US was unable to guarantee sufficient protection for EU citizens’ data and was therefore demolished towards the end 2015.
Safe Harbour being invalidated meant that many US firms had to switch to a different EU-approved template of transferring data to the US - standard contractual clauses (SCCs). It also meant a new data transfer framework was formed to replace Safe Harbour – the Privacy Shield. As Facebook and other organisations began using the SCCs to transfer data to the US, Schrems made another complaint. While the Privacy Shield was not directly part of this, the Irish Court’s requested it was pulled into the case as they felt it was equally incompatible with EU data protection regulations. As a result, the Privacy Shield was ruled invalid, but the SCCs remained valid.
As companies can still use the SCCs, the Privacy Shield’s invalidation is not a catastrophe. However, it will be a costly, complex and legal exercise for many organisations who need to move over to this template and have thousands of new contracts signed – this can prove to be threatening for start-ups and SMEs who do not have the budget or man power to complete what is necessary.
Furthermore, due to the SCCs being looked upon as a long-term mechanism by companies for EU-US data transfers, judges are requesting that data exporters prove that the data will have equivalent protection as within the EU, before it is able to be transferred to the US.
In the long run, there is no doubt that the SCCs may come under scrutiny once again with activists actively pursuing cases with force. Therefore, without the Privacy Shield, it is likely that there will be serious disruption to EU-US data flows in the future.
What does that mean for public cloud sharing of data?
- Understand carefully how public cloud vendors such as Google and AWS use your data
- Read data protection policies
- Expand use of private cloud where you can
At the entrust IT Group, we have spoken openly about our concerns of the Privacy Shield and the uncertainty surrounding major US cloud-based services such as Microsoft 365 with GDPR. This is why we are extremely cautious about recommending public cloud SaaS solutions to our customers.
