What This Means for EU-US Commercial Data Transfers
By Dan Piazza, Technical Product Manager, Stealthbits Technologies
On July 16th, the European Court of Justice (ECJ) struck down the EU-US data privacy agreement named Privacy Shield, which many organizations rely on to transfer data between the EU and the U.S.
Privacy Shield was enacted in 2016 as a replacement for the Safe Harbor Privacy Principles, which were also struck down by the ECJ in 2015. In addition to being a replacement for the Safe Harbor Privacy Principles, Privacy Shield was designed to protect the fundamental rights of data subjects in the EU whose personal data is transferred to the U.S. for commercial purposes.
The primary goals of the Privacy Shield framework were:
- Strong data protection obligations on companies receiving personal data from the EU
- Safeguards on U.S. government access to data
- Effective protection and redress for individuals
- An annual joint review by the EU and U.S. to monitor the correct application of the arrangement
Under GDPR (EU’s General Data Protection Regulation) Privacy Shield aimed to act as a safety mechanism that ensured personal data transferred out of the EU received the same protection in the U.S. as it did while in the EU.
Privacy Shield Declared Invalid
In the ECJ’s ruling, it found two major issues with Privacy Shield:
- S. privacy and surveillance laws “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law.”
This indicates U.S. agencies, like the NSA, have excessive access to personal data transferred out of the EU, which does not align with GDPR standards (i.e. not “essentially equivalent” to EU protections). In addition, certain U.S. laws, such as the Foreign Intelligence Surveillance Act, don’t align with GDPR either.
- Privacy Shield required the U.S. to have an ombudsperson responsible for handling requests and concerns from EU data subjects regarding their data that’s been transmitted from the EU to the U.S.
The ECJ found this mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law”.
Ultimately the ombudsperson didn’t have enough authority to assist EU data subjects with bringing legal action to the court regarding personal data.
How This Impacts organization Using Privacy Shield
Companies using Privacy Shield for EU-US data transfers can no longer use this framework, as it was immediately invalidated as of the ECJ’s July 16th ruling. With that said, there are two common alternatives to Privacy Shield.
Standard Contractual Clauses (SCCs) are contractual terms that the sender and receiver of data agree to, which ensures both parties are following GDPR standards when data is transferred between the EU and another country (such as the U.S.). Binding Corporate Rules (BCRs) can also be used in lieu of Privacy Shield if SCCs don’t meet an organization’s needs.
However, SCCs and BCRs aren’t as easy to use as Privacy Shield. U.S. organizations that transfer data from the EU must now conduct analysis to determine if they can meet the legal requirements to protect data from U.S. surveillance. This is in direct conflict with the ECJ’s Privacy Shield ruling, which found U.S. federal intelligence and surveillance agencies, as well as U.S. laws, currently make this difficult.
In addition, organizations using SCCs or BCRs need to legally guarantee “U.S. law does not impinge on the adequate level of protection” for transferred data. If this legal standard cannot be met, then an organization’s data transfers from the EU must be immediately suspended.
The European Data Protection Board (EDPB) also posted a FAQ regarding this Privacy Shield ruling. Per this FAQ, GDPR Article 49 derogations may also be means for completing certain data transfers.
Ultimately, organizations that previously used Privacy Shield need to reevaluate if their data transfer processes meet GDPR standards. Although this is no small task, the following steps are essential:
Locate Personally Identifiable Information
Organizations need to know what personally identifiable information (PII) they’re storing, and where it’s located. Due to improperly provisioned access, it’s possible that users have moved PII data to unexpected locations.
Remediate Stale Personally Identifiable Information
Once personal information is no longer needed for regulatory or business purposes, it should either be securely archived our deleted outright.
Audit and Control Access to Personally Identifiable Information
Overprovisioned and improperly granted access raise as an organization’s risk for a data breach. Users should only have access to the data required to perform their daily tasks, and admins should only have elevated privilege when needed.
Be Able to Respond to Consumer Data Subject Access Rights (DSAR) Requests
Organizations must be able to quickly respond to consumer DSAR requests. This involves gathering all PII related to a data subject, providing that information to them, and potentially deleting that information.
How Software Solutions Can Help
Software solutions and automation can help with these steps, including Data Access Governance (DAG) software to locate personal information, remediate stale data, and resolve overprovisioned access, as well as Privileged Access Management (PAM) software to enable secure, task-based administrative access delivered just-in-time and with just-enough privilege.
Moving Forward Without Privacy Shield
A joint statement between the U.S. Secretary of Commerce and the EU Commissioner for Justice was released on August 10th, stating the two sides are working towards a new agreement.
“The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.”
This statement doesn’t offer any specifics, and until more details are released organizations shouldn’t assume a new Privacy Shield is coming soon. Even if a new framework gets put in place, unless there’s drastic changes to how the U.S. government treats data privacy then it’s likely the new agreement will get struck down by the same EU court.
In the meantime, organizations that need to keep the flow of data open between the EU and the U.S. will need to utilize either Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
This is an unfortunate reality, but things can only improve once the U.S. government starts to take data privacy more seriously. State-level laws, such as the California Consumer Privacy Act (CCPA) and the New York SHIELD Act, are steps in the right direction. However, it’s clear the U.S. needs federal data privacy regulations on par with the EU’S GDPR. Until then, arranging a successor to Privacy Shield, and more importantly, making it stick, remains a challenge.
About the Author
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in their Data Access Governance solution, StealthAUDIT. He’s worked in technical roles since 2013, with a passion for cybersecurity, data protection, storage, and automation. Stealthbits is a cybersecurity software company focused on protecting sensitive data and the credentials attackers use to steal that data.
Dan can be reached online at linkedin.com/in/danieljpiazza and at our company website https://www.stealthbits.com/