CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
The EU-US Privacy Shield is history. What happens next?
On July 16, the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield agreement, effective immediately. The CJEU said it invalidated Privacy Shield, a data-transfer accord that replaced the Safe Harbor agreement after it was invalidated in 2015, because the US does not adequately meet EU standards to protect EU citizen data from government surveillance. At the same time, the court ruled that data transfers using standard contractual clauses (SCCs) remain valid but will need to undergo additional review and revisions.
The ruling on the case, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, will impact thousands of US businesses that transmit EU citizen data out of the EU. According to a 2019 report by the International Association of Privacy Professionals (IAPP), approximately 88% of surveyed companies that transfer data out of the EU relied on SCCs, while 60% used Privacy Shield.
The rollback of Privacy Shield will require that businesses consider alternate mechanisms for cross-border data transfers. But whatever the method, chief privacy officers (CPOs), chief operating officers (COOs), and chief data officers (CDOs) will need to scrutinize data transfers more proactively than in the past.
The EU court sanctioned the use of SCCs as one alternative to Privacy Shield. But these clauses, if existing, will require reassessment and revision to make sure they cover all relevant data flows. What’s more, SCCs are sure to intensify compliance obligations. That’s because Privacy Shield was composed of a single set of compliance obligations, but SCCs are specific to individual data flows, which means that a business may need to implement scores of SCCs. Further complicating matters, the recent EU court ruling stipulated that data transfers under the SCC should be continually re-evaluated.
Another option is establishing binding corporate rules (BCRs) as stipulated by the EU’s General Data Protection Regulation (GDPR) Article 47. In concept, BCRs are very similar to SCCs. But most businesses will find the BCR approach infeasible due to the excessive time required for approval from EU supervisory authorities. Nonetheless, it’s a good idea to review existing BCRs as a means to help inform and supplement assessments of your data-transfer processes.
Besides these options, some businesses may embrace more prescriptive operational approaches. They may, for instance, opt to set up IT infrastructure for EU citizen data within the European Union itself. Doing so will obviate the need to transfer information across borders. The downside is that establishing infrastructure, facilities, and people in Europe can be prohibitively costly.
Conversely, some companies are planning to store and process EU data in the U.S. to avoid cross-border transfers. Others are considering a more severe approach: Some of the businesses we have been talking with say they will completely forgo collection of EU citizen data.
The first step in responding to the elimination of Privacy Shield will be to assess your business’s exposure to EU privacy laws like the GDPR. In addition, CPOs and other privacy leaders will need to consider whether data that is transported across non-EU nations could be subject to requests by national intelligence services.
To understand risks, businesses will need to identify all sensitive data on EU citizens. Data mapping can help you understand the general topology of sensitive data, including where it resides, how it is used, with whom it is shared, and the rules that govern it. This should be done through the lens of risk management and will require effective, up-to-date data governance policies and architectures. Privacy leaders will also need to assess the technical safeguards in place to carry out cross-border transfers.
It’s also critical to revisit third-party risk management and reassess partners’ capabilities for cross-border data transfers on a case-by-case basis. Once guidelines for SCCs are in place, make sure that all third-party partners involved in transnational transfers of protected data provide plans and timelines for compliance.
Perhaps the best way to address the court ruling is to adopt Privacy by Design, a framework that embeds privacy into the design and operation of the entire IT ecosystem. In other words, privacy must be incorporated into the initial design of data systems, solutions, technologies, and business processes. Privacy leaders will need to determine which of their data structures, applications, storage, use cases, and other interactions were built on the concept of Privacy by Design, and which were not.
Cross-border data transfer rules will be supervised by EU national data protection authorities, who may take action – including potential fines and sanctions as prescribed by the GDPR – against businesses that fail to meet new guidelines.
The nullification of Privacy Shield is effective immediately, but given the current lack of guidance, it seems unlikely that EU authorities will begin enforcing the ruling any time soon. However, new guidance is expected, so privacy leaders should watch for updates from the European Commission, the European Data Protection Board, and national data protection authorities.
Meanwhile, privacy leaders shouldn’t adopt a wait and watch approach in the countdown for compliance. It’s critical to get a head start in proactively assessing data privacy maturity, conducting risk assessments related to data transfers, and, if necessary, pursuing alternatives to current data storage and transfer practices.
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
703.847.4418
Daryouche Behboudi, Managing Director, Cybersecurity, Technology Risk, and Privacy
703.744.8507
Deborah Nitka, Manager, Cybersecurity, Technology Risk, and Privacy
646.762.3372
Related Services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Related Insights
-
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
-
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
-
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
-
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.
-
Press ReleaseCohnReznick adds two senior leaders to growing Cybersecurity, Technology Risk, and Privacy practiceScott Corzine, Managing Director, and Stephen P. Gilmer, Director, have joined CohnReznick's Cybersecurity, Technology Risk and Privacy practice, bringing extensive experience in cybersecurity risk, risk management, compliance, and operational impact.