Privacy Shield: do you still need one?

Privacy Shield started as an informal agreement between the United States and the European Union. The aim was to ensure compliance with European data protection standards whenever organizations transferred personally identifiable information across the pond.

While the agreement was negotiated and agreed upon more than five years ago, it wasn’t exactly popular. The primary reason for this was the potential for mass surveillance by the American authorities.

So, it wasn’t a big surprise when the European Court of Justice overturned the agreement in the summer of 2020. As a result, there’s no legal basis for such data transfers.

So, what now?

Before we get ahead ourselves, let’s define it. 

In the summer of 2016, the EU and the US government approved the Privacy Shield framework to ensure regulatory compliance with EU data protection requirements whenever you transfer data between the United States and the EU.

Although it wasn’t part of the General Data Protection Regulation (GDPR), they worded it in a way that helped organizations adhere to regulatory requirements. So, if you follow GDPR requirements, you’ll also abide by seven Privacy Shield principles:

1. Notice
2. Choice
3. Accountability (for onward transfers)
4. Security
5. Data integrity and purpose limitation
6. Access
7. Recourse, enforcement, and liability

Austrian lawyer and activist Max Schrems and the Irish Data Protection Commission

took on social media giant Facebook in the Irish courts and won. This long-running saga ended last year when the court ruled that Privacy Shield failed to meet GDPR standards. 

The court’s decision was incredibly complex, but for the most part, it concentrated on two issues:

1. US law enforcement agencies had access to personal data transferred under Privacy Shield. This is because the Americans prioritized national security over the rights of European data subjects.
2. The appointment of an ombudsperson was futile as they lacked the authority to make any binding decisions that would impact the US government and intelligence agencies. This means that European data subjects lacked actionable rights in the US court system when it came to government violations.

While Privacy Shield no longer applies to transatlantic data transfers, Standard Contractual Clauses (SCCs) are still valid, at least for now.

If you still depend on Privacy Shield when transferring data between the EU and the US, you should stop them immediately. Instead, you must adopt a different GDPR system.

At the same time, your existing commitments are still enforceable by the US Federal Trade Commission.

What does this mean?

It means that as far as the US government is concerned, you must still comply with Privacy Shield, even though it’s deemed invalid. In this scenario, it’s best to leverage both GDPR and SCCs as they remain suitable protocols to ensure data protection.

If you’re transferring or sharing data within a corporate entity, you must carefully follow the terms pre-approved by EU authorities that multinational organizations can apply internally. Furthermore, you can also get consent from European data subjects before initiating each data transfer.

Key takeaways:

• Privacy Shield is no longer valid, but SCCs still matter.
• GDPR is king.
• Whatever your organization decides to do, it’s vital to ensure strict adherence to GDPR. The more sensitive the data, the more comprehensive your protection protocols must be (including the strict requirement to report technical issues and potential data breaches).
• GDPR violations may result in fines up to €20 million or 4% of your annual turnover (or whichever is greater).

European data protection commissioners aren’t shy when it comes to fining companies, so keep British Airways and the Marriott hotel chain in mind when you make critical security-related decisions. It's also crucial  to follow cybersecurity best practices including encryption, ethical hacking, and more.