The Privacy Shield is in Hot Water – and It Might Impact Your Data-Driven Marketing
Feeling like you’re past the GDPR data storm? Unfortunately, the EU-U.S. Privacy Shield might just push you back into the eye.
The rushed and highly criticised EU-U.S. Privacy Shield Framework is up for review, and data-driven marketers around world are holding their breath. But how does the law correlate with the GDPR and how might it impact EU businesses? I’ll walk you through the timeline and the possible legal implications.
The Relationship Between The GDPR and The EU-U.S. Privacy Shield
The GDPR, General Data Protection Regulation 2016/679, came into effect on May 25th 2018 as what can be best described as the marketer’s version of the millennial bug. Chaos, outcry, mass confusion. Pandemonium!
When GDPR entered into force, something unique happened. It changed the whole world’s mindset of processing personal data, the power over data shifted from companies to individuals, and trust became the ultimate currency. For me, as a Legal Counsel at APSIS, it was fascinating to experience such a big change and to see how the world reacted to a Regulation that was long overdue.
But the law settled into place and companies were able to breathe a sigh of (momentary) relief. So, if the law is already in force – why am I writing yet another post about it? Because the EU-U.S. Privacy Shield is going through a second review on October 18th-20th 2018.
What is the EU-U.S. Privacy Shield?
But before we get into the nitty-gritty, let’s begin with the basics. The EU-U.S. Privacy Shield is designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the pond with a framework to comply with data protection requirements in support of transatlantic commerce.
But, what does it have to do with the EU regulation?
Well, GDPR doesn’t just apply to European companies. It applies to any company conducting business within Europe. Because of this, the regulation recognises that transfer of data could occur from the European Economic Area (EEA) to countries outside of the EEA.
This is where the EU-U.S. Privacy shield (“the Privacy Shield”) enters the show. But unfortunately, the EU Parliament is slowly losing their confidence in the U.S., and future transfers of data to and from the U.S. may get suspended. And here’s the kicker:
Data suspension will affect all U.S. companies who are active in the EU, as well as customers who are using U.S. based companies.
A company would transfer data out of the European Economic Area (EEA) if they, for example, used a supplier who is located outside of the EEA, or if they used a company which has their servers outside of the EEA.
For such a transfer, the EU has imposed restrictions, which places an absolute prohibition on such transfer, unless certain criteria are met which demonstrates that the said country is able to provide “adequate” level of data protection, which are comparable to the European standards.
The First Hit
Since 2000, the U.S. was considered to be a country with “adequate” data security standards, following the enactment of the EU/U.S. Safe Harbour Agreement.
When Edward Snowden leaked information in 2013 regarding the U.S. National Security Agency’s mass surveillance of private data relating to European Citizens – the world went into a frenzy and things quickly turned sour.
Overnight, the Safe Harbour Agreement was shattered and the credibility and the trust of the U.S. as an “adequate” jurisdiction started to wither. And all EU-companies relying on the Safe Harbour Agreement for transferring data lost their legal ground…
Mayhem escalated, and EU-companies operating on the other side of the pond had to rethink their strategies as it was in breach of their own national law (e.g. previous Personuppgiftslagen 1998:204 - Sweden).
Due to numerous EU-companies being in potential data breach since Safe Harbour was deemed to be an ineffective safeguard of European data protection standards, the Privacy Shield replaced the U.S. Safe Harbour Agreement in October 2015.
As an effect, the Privacy Shield was rushed. It was even criticised before it became operational, but the Commission noted that the framework, as whole, ensured an adequate level of protection for now.
The Final Straw
But then, the Facebook-Cambridge Analytica Data Scandal hit the law’s credibility like a ton of bricks….
In March 2018, a former Cambridge Analytica employee revealed that Facebook had transferred 2.7 million EU citizen’s data to Cambridge Analytica. In addition, Facebook, allowed an app on the platform to harvest 87 million profiles of users around the world during in 2014 and 2015, which – coincidentally – was used by Cambridge Analytica.
The accumulation of detrimental events led the Information Commissioner’s Office (“ICO”), UK's data protection body, to conclude that corporate U.S. signatories had failed to respect the Privacy Shield Agreement, and that Facebook had failed to safeguard its user’s information.
As the final straw, the EU Parliament realised that the U.S. authorities had left ten recommendations for improving the data security, unresolved and unacknowledged...
As a result of the lack of engagement regarding data privacy requirements, the EU Parliament issued a non-binding resolution to suspend the Privacy Shield unless the U.S. complied with EU data protection by September 1st 2018.
Unfortunately, they were not able to meet the deadline by September. Even though it was only a non-binding resolution, the lack of action might impact the judgment when the second review takes place next week, on October 18th-20th 2018...
… which could potentially result in a suspension in all transfers of data to and from the U.S.
How the Law Might Shield and Wield Your Business
Firstly, if the Privacy Shield were to be suspended, it will result in the U.S. being in the absence of an adequacy decision from the Commission, meaning, it will not be considered as a jurisdiction which has passed the Commissions “adequate level of protection”.
Remember the chaos when the Safe Harbour fell?
Well, back then, they didn’t have the 20 000 000 EUR, or up to 4% of the total worldwide annual turnover as potential fines. Hence, you may want to reconsider your current Processor, to a company which meets these EU requirements in order for you to be GDPR-compliant.
Secondly, in the absence of an adequacy decision or other appropriate safeguards and/or if you are using a company with servers in the U.S., you should be aware of Article 49(1)(a) GDPR. It states that data subjects (your customers/subscribers) must have “... explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards”, meaning that consent will be your only legal ground for processing data.
Thirdly, and despite of the havoc caused in the U.S., it is your responsibility, as the Controller of your customers/subscribers, to make sure that you only use a Processor who can meet the EU regulation and is able to provide you with sufficient guarantees to implement measures which will ensure protection for your customers/subscribers.
What will happen with the U.S. is yet to be decided. But it is not looking ideal. At APSIS, we have always chosen the safe path for our +6000 customers. We only process data locally within EU, in order to make sure that we are able to provide our customers with an “adequate level of protection” when processing data.
Therefore, during these sensitive times where data security is on everyone’s mind, try to foresee the unforeseeable and be proactive with your data privacy strategies. Using an EU based Processor who is transparent, reliable and cares about the security of your customers/subscribers, is highly recommended.
Because, history can repeat itself... And you do not want to be in the same position as the other EU companies were when the Safe Harbour fell.
If you've enjoyed this article and would like to update your knowledge on GDPR – just simply head on to our landing page for a crash course!
Note: This blog post is for inspirational and informational purposes only and does not constitute legal advice nor shall it be construed, or relied, on as such. APSIS accepts no liability for any losses incurred as a result of any reliance made on the information contained herein. APSIS reserves all right to the content of the blog.