Paul Gillingwater MBA, CISSP, CISM, RHCE

Paul Gillingwater MBA, CISSP, CISM, RHCE

Management Consultant

Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.

What Comes After The Privacy Shield?

By now, I hope you've had a chance to review the white paper EU-US Privacy Shield And Brexit and watch the panel discussion on the topic of the demise of the EU-US Privacy Shield. If not, please do so now and come back when you're ready. 😊

 

So now, what was your key take away message?

It's pretty clear that the EU-US Privacy Shield is no longer viable as a transfer mechanism for use by US-based Businesses, which relegates the US to become just another third country like all the others without adequacy arrangements (e.g., Australia or Korea).

Several other things have taken place since the white paper was prepared. For example, Switzerland has decided that the CJEU decision means that they no longer have confidence in the Swiss-US version of the Privacy Shield, which was revoked with immediate effect.

Also of note is that the Irish Data Protection Commissioner (DPC) officially informed Facebook’s European HQ that as a consequence of the CJEU ruling, it could no longer rely on the standard contractual clauses (SCC) as a transfer mechanism to send customer data of European residents back to the US, and therefore has to stop doing so.

Facebook promptly sought an injunction and judicial review, claiming that the process used by the DPC was improper, and currently is in the middle of a three-week period to provide evidence.

Meanwhile, the European Data Protection Board (EDPB) has announced that it is working on new versions of the SCC, although it has not provided a deadline.

Whatever mechanism is chosen, it must take into account the new reality – that the (recently deemed illegal) mass collection of personal data by the FBI and NSA has been weighed against the rights and freedoms of European residents (not just citizens) and that mechanisms such as SCC, Privacy Shield and even binding corporate rules (BCR) need to be reviewed on a case-by-case basis to determine whether they are adequate and appropriate safeguards.

Despite Brexit, the UK’s official withdrawal from the EU becoming effective on 31 December 2020 means that the UK continues to be subject to EU law, at least until the end of the year. Therefore, the UK-US Privacy Shield is also invalid.   Don’t be surprised however if the UK government concludes a series of bilateral trade deals (including with the US) which offer a transfer mechanism that accepts the current status quo, and builds a legal framework which keeps the data flowing, however at the risk of endangering the UK's future mutual adequacy plans with the EU.

P.S. Data may just be the economic battleground of the future as shown by President Trump’s decision on September 18 to effectively ban TikTok and WeChat, making distribution or maintenance of the apps illegal in the US.

Paul Gillingwater MBA, CISSP, CISM, RHCE

Management Consultant

Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.

Blog 08 Apr, 2020

Digital Transformation, Data Strategy, Journey to Cloud

Why Move To Cloud? - A Service Perspective

Charles Wright

Charles Wright

Data Strategy & Analytics Expert

Chaucer's AI specialist delivering data strategies and capabilities for Fortune 500 organisations. He is passionate about driving data led digital transformation to enable organisations to realise the benefits of machine learning and holds both an MBA and MA in Educational Leadership and Management.

Blog 07 Jan, 2019

Data Strategy, GDPR, Privacy

Are you ready to start building your Privacy Operations Centre (POC)?

Paul Gillingwater MBA, CISSP, CISM, RHCE

Paul Gillingwater MBA, CISSP, CISM, RHCE

Management Consultant

Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.

Blog 06 Jul, 2020

Innovation, Data Strategy, Test

Chaucer Nominated For A MCA Award In “Data & Innovation In The Private Sector”

Chaucer

Chaucer

Experts in creating value from digital transformation and data to improve lives

Chaucer Newsletter

Sign up to receive our weekly newsletter. You can unsubscribe at any time.

You can read our privacy policy and terms & conditions here.