- Data Strategy,
– 18 Sep, 2020
What Comes After The Privacy Shield?
By now, I hope you've had a chance to review the white paper EU-US Privacy Shield And Brexit and watch the panel discussion on the topic of the demise of the EU-US Privacy Shield. If not, please do so now and come back when you're ready. 😊
So now, what was your key take away message?
It's pretty clear that the EU-US Privacy Shield is no longer viable as a transfer mechanism for use by US-based Businesses, which relegates the US to become just another third country like all the others without adequacy arrangements (e.g., Australia or Korea).
Several other things have taken place since the white paper was prepared. For example, Switzerland has decided that the CJEU decision means that they no longer have confidence in the Swiss-US version of the Privacy Shield, which was revoked with immediate effect.
Also of note is that the Irish Data Protection Commissioner (DPC) officially informed Facebook’s European HQ that as a consequence of the CJEU ruling, it could no longer rely on the standard contractual clauses (SCC) as a transfer mechanism to send customer data of European residents back to the US, and therefore has to stop doing so.
Facebook promptly sought an injunction and judicial review, claiming that the process used by the DPC was improper, and currently is in the middle of a three-week period to provide evidence.
Meanwhile, the European Data Protection Board (EDPB) has announced that it is working on new versions of the SCC, although it has not provided a deadline.
Whatever mechanism is chosen, it must take into account the new reality – that the (recently deemed illegal) mass collection of personal data by the FBI and NSA has been weighed against the rights and freedoms of European residents (not just citizens) and that mechanisms such as SCC, Privacy Shield and even binding corporate rules (BCR) need to be reviewed on a case-by-case basis to determine whether they are adequate and appropriate safeguards.
Despite Brexit, the UK’s official withdrawal from the EU becoming effective on 31 December 2020 means that the UK continues to be subject to EU law, at least until the end of the year. Therefore, the UK-US Privacy Shield is also invalid. Don’t be surprised however if the UK government concludes a series of bilateral trade deals (including with the US) which offer a transfer mechanism that accepts the current status quo, and builds a legal framework which keeps the data flowing, however at the risk of endangering the UK's future mutual adequacy plans with the EU.
P.S. Data may just be the economic battleground of the future as shown by President Trump’s decision on September 18 to effectively ban TikTok and WeChat, making distribution or maintenance of the apps illegal in the US.
Paul Gillingwater MBA, CISSP, CISM, RHCE
Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18
Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.