Page 111 - Cyber Defense eMagazine for September 2020
P. 111

Under  GDPR  (EU’s  General  Data  Protection  Regulation)  Privacy  Shield  aimed  to  act  as  a  safety
            mechanism that ensured personal data transferred out of the EU received the same protection in the U.S.
            as it did while in the EU.



            Privacy Shield Declared Invalid

            In the ECJ’s ruling, it found two major issues with Privacy Shield:

            1.  U.S. privacy and surveillance laws “are not circumscribed in a way that satisfies requirements that
               are essentially equivalent to those required, under EU law.”



            This indicates U.S. agencies, like the NSA, have excessive access to personal data transferred out of
            the EU, which does not align with GDPR standards (i.e. not “essentially equivalent” to EU protections).
            In addition, certain U.S. laws, such as the Foreign Intelligence Surveillance Act, don’t align with GDPR
            either.



            2.  Privacy Shield required the U.S. to have an ombudsperson responsible for handling requests and
               concerns from EU data subjects regarding their data that’s been transmitted from the EU to the U.S.



            The ECJ found this mechanism “does not provide data subjects with any cause of action before a body
            which offers guarantees substantially equivalent to those required by EU law”.



            Ultimately the ombudsperson didn’t have enough authority to assist EU data subjects with bringing legal
            action to court regarding personal data.



            How This Impacts Organizations Using Privacy Shield

            Companies using Privacy Shield for EU-US data transfers can no longer use this framework, as it was
            immediately invalidated as of the ECJ’s July 16th ruling. With that said, there are two common alternatives
            to Privacy Shield.

            Standard Contractual Clauses (SCCs) are contractual terms which the sender and receiver of data agree
            to, which ensures both parties are following GDPR standards when data is transferred between the EU
            and another country (such as the U.S.). Binding Corporate Rules (BCRs) can also be used in lieu of
            Privacy Shield, if SCCs don’t meet an organization’s needs.








            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         111
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   106   107   108   109   110   111   112   113   114   115   116