The EU-US Privacy Shield is history. What happens next?
On July 16, the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield agreement, effective immediately. The CJEU said it invalidated Privacy Shield, a data-transfer accord that replaced the Safe Harbor agreement after it was invalidated in 2015, because the US does not adequately meet EU standards to protect EU citizen data from government surveillance. At the same time, the court ruled that data transfers using standard contractual clauses (SCCs) remain valid but will need to undergo additional review and revisions.
The ruling on the case, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, will impact thousands of US businesses that transmit EU citizen data out of the EU. According to a 2019 report by the International Association of Privacy Professionals (IAPP), approximately 88% of surveyed companies that transfer data out of the EU relied on SCCs, while 60% used Privacy Shield.
The rollback of Privacy Shield will require that businesses consider alternate mechanisms for cross-border data transfers. But whatever the method, chief privacy officers (CPOs), chief operating officers (COOs), and chief data officers (CDOs) will need to scrutinize data transfers more proactively than in the past.
The EU court sanctioned the use of SCCs as one alternative to Privacy Shield. But these clauses, if existing, will require reassessment and revision to make sure they cover all relevant data flows. What’s more, SCCs are sure to intensify compliance obligations. That’s because Privacy Shield was composed of a single set of compliance obligations, but SCCs are specific to individual data flows, which means that a business may need to implement scores of SCCs. Further complicating matters, the recent EU court ruling stipulated that data transfers under the SCC should be continually re-evaluated.
Another option is establishing binding corporate rules (BCRs) as stipulated by the EU’s General Data Protection Regulation (GDPR) Article 47. In concept, BCRs are very similar to SCCs. But most businesses will find the BCR approach infeasible due to the excessive time required for approval from EU supervisory authorities. Nonetheless, it’s a good idea to review existing BCRs as a means to help inform and supplement assessments of your data-transfer processes.
Besides these options, some businesses may embrace more prescriptive operational approaches. They may, for instance, opt to set up IT infrastructure for EU citizen data within the European Union itself. Doing so will obviate the need to transfer information across borders. The downside is that establishing infrastructure, facilities, and people in Europe can be prohibitively costly.
Conversely, some companies are planning to store and process EU data in the U.S. to avoid cross-border transfers. Others are considering a more severe approach: Some of the businesses we have been talking with say they will completely forgo collection of EU citizen data.
The first step in responding to the elimination of Privacy Shield will be to assess your business’s exposure to EU privacy laws like the GDPR. In addition, CPOs and other privacy leaders will need to consider whether data that is transported across non-EU nations could be subject to requests by national intelligence services.
To understand risks, businesses will need to identify all sensitive data on EU citizens. Data mapping can help you understand the general topology of sensitive data, including where it resides, how it is used, with whom it is shared, and the rules that govern it. This should be done through the lens of risk management and will require effective, up-to-date data governance policies and architectures. Privacy leaders will also need to assess the technical safeguards in place to carry out cross-border transfers.
It’s also critical to revisit third-party risk management and reassess partners’ capabilities for cross-border data transfers on a case-by-case basis. Once guidelines for SCCs are in place, make sure that all third-party partners involved in transnational transfers of protected data provide plans and timelines for compliance.
Perhaps the best way to address the court ruling is to adopt Privacy by Design, a framework that embeds privacy into the design and operation of the entire IT ecosystem. In other words, privacy must be incorporated into the initial design of data systems, solutions, technologies, and business processes. Privacy leaders will need to determine which of their data structures, applications, storage, use cases, and other interactions were built on the concept of Privacy by Design, and which were not.
Cross-border data transfer rules will be supervised by EU national data protection authorities, who may take action – including potential fines and sanctions as prescribed by the GDPR – against businesses that fail to meet new guidelines.
The nullification of Privacy Shield is effective immediately, but given the current lack of guidance, it seems unlikely that EU authorities will begin enforcing the ruling any time soon. However, new guidance is expected, so privacy leaders should watch for updates from the European Commission, the European Data Protection Board, and national data protection authorities.
Meanwhile, privacy leaders shouldn’t adopt a wait and watch approach in the countdown for compliance. It’s critical to get a head start in proactively assessing data privacy maturity, conducting risk assessments related to data transfers, and, if necessary, pursuing alternatives to current data storage and transfer practices.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.