Earlier this month, the EU court made a decision to invalidate the Privacy Shield framework of exchanging personal data for commercial purposes between the EU and the US. This has left many technology companies and data controllers confused about what this means and what they need to do to ensure an adequate level of data protection.
Neil Stone, Head of Marketing for data collection experts SmartSurvey, explains just what the issues are alongside the potential impact of the Privacy Shield’s invalidation for the technology sector and prospective customers. SmartSurvey is the UK’s leading Data Collection platform helping over 300,000 customers make better decisions every day while offering a ringfenced solution to ensure data is not transferred outside of the UK.
Can personal data from the EU being transferred on the basis of Privacy Shield to the US, guarantee an adequate level of data protection as per the GDPR?
This was the question posed to the EU Court of Justice (ECJ) last week and the verdict was a resounding ‘no’. While the ruling is a massive victory for privacy and data protection campaigners it has an immediate and complex impact on businesses that rely on data transfer between the EU and US placing operating models of huge companies like Facebook, Zoom and many others into question.
How will tech operate with no Privacy Shield?
While this move will hamper EU-US data flows, technology isn’t just going to grind to a halt. Most companies will fall back on Standard Contractual Clauses (SCC’s) as the mechanism to transfer data. The ECJ ruling deemed that SCC’s were still legal and make it possible to ensure compliance with the level of protection required by EU law, however data controllers need to assess the level of data protection and ensure its adequate. Many will be confused by what this means and what they have to do. Cue lawyers looking very happy, this ruling means they have just got a whole load busier. The reality is many businesses will need more legal support to ensure they are compliant and can continue to operate.
Does this mean tech companies are finished?
The end of Privacy Shield does not see the Four Horsemen of the Apocalypse laying waste to the tech world, but it does mean a lot of lawyers will be beavering away for the next few weeks working with both vendors and customers. For software providers that solely relied on Privacy Shield their legal teams will most likely be feverishly updating terms, conditions and issuing updated versions of existing contracts if they wish to continue processing EU data. This will be a costly and time-consuming exercise with many thousands of new contracts needing to be signed.
Could tech companies have been better prepared?
Many companies operating in the EU had their concerns over the adequacy of Privacy Shield in the first place and the more GDPR savvy players have preferred to rely on Standard Contractual Clauses in combination with their own custom data processing agreements (DPA’s) to ensure compliance and the level of protection required by EU law. Those companies that had the foresight to do this will not be adversely affected by the ruling and their contracts and T&C’s continue to be legal.
Are SCC’s the future for EU/US data processing?
This remains to be seen. SCC’s are now under the spotlight and there are already calls for review. If SCC’s were deemed invalid this would cause serious disruption to EU/US data flows. However, this seems unlikely as this would affect so many systems from Financial Markets to Supermarket stock management and even your local takeaway! While the EU are resolute in enforcing compliance with GDPR its unlikely they will vote to hit the pause button on these systems that are part of everyday and place even further pressure on economies already under strain from the Covid-19 pandemic.
Can’t Privacy Shield just be made GDPR compliant?
It’s very possible that the EU and the US will try to resolve these issues and reach a new agreement. However, this could take some time and there is limited room for manoeuvre. It’s also unlikely the US will reform its approach to surveillance legislation and national security just for an EU data transfer agreement.
Is it still safe to buy and use software?
In short yes. But before you implement a new system there are couple of things worth checking:
- Find out where your preferred vendor stores and backs up personal data that belongs to your organisation.
- Understand their sub-processors and check they have custom agreements in place-
- Enquire as to whether your vendor can work with you to create a custom data processing agreement
- Understand where their teams are based – why does this matter? Well your software account may be hosted in Germany, but the support team are based in the US this means when support access your account your data has just been transferred across the pond.
- Get your lawyer and Data Protection Officer to review any T&C’s or contracts before signing on the dotted line
Is there anything else I can do to limit exposure to risks associated with data transfer?
While SCC’s and custom DPAs may ensure legal compliance with transfers to the US, if you want extra assurance you may want to investigate a ringfenced solution. Some software vendors offer solutions that mean your data never leaves the country they operate in. For example, a UK based vendor offering a ringfenced solution would have:
- A 100% UK based team
- Data stored and backed up in the UK
- UK based sub-processors/partners
- All data transfers to occur in the UK only
- GDPR compliant
- The benefit of a completely ringfenced solution is that irrespective of changes such as the invalidation of Privacy Shield, Brexit and whatever else is brewing in the political cauldron you can rest assured that your data and service operate in a single country and are subject to their regional data laws giving you peace of mind that you will be compliant in a rapidly changing landscape.