What to Do After the EU-US Privacy Shield Ruling

Kris Lovejoy


October 1, 2020

After a recent Court of Justice of the European Union (CJEU) ruling invalidated the EU-US Privacy Shield framework, organizations around the world have been completely rethinking their data strategies. In July, the CJEU ruled that the EU-US Privacy Shield is inadequate because U.S. law cannot sufficiently protect the personal data of citizens living in the European Economic Area (EEA). The court held that when the personal data of EEA citizens is transferred to a third country, pursuant to standard data protection clauses, it must be afforded a level of protection essentially equivalent to that guaranteed within the European Union. Specifically, the Privacy Shield was invalidated on the grounds that U.S. surveillance laws fundamentally clash with EU data protection rights.

Under EU law, transfers of personal data outside of the EEA require an adequacy ruling, appropriate safeguards or derogations for specific situations. Implemented in 2016, the Privacy Shield is a framework for self-certification agreed between the U.S. Department of Commerce and the European Commission. The framework set out to enable participating organizations to meet EEA requirements when transferring personal data to the United States.

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018 and imposes strict privacy and security obligations on organizations that handle personal data relating to EEA citizens. Following the CJEU’s recent ruling, however, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

Assessing the Risks

Since there is no grace period in place, organizations that previously relied on the Privacy Shield must quickly assess the extent of the impact the CJEU’s ruling will have on their business. This means having an up-to-date inventory of their EU-US data flows and the access privileges needed to identify the specific data flows that are affected. Ultimately, it may be necessary to change or divest any activities that rely on affected transfers. It is also important to note that the ruling does not only affect the transfer of personal data to the United States—it could affect transfers to all other third countries, depending on whether their legal systems afford the level of data protection that the EU expects. Where that protection does not exist, and there is no adequacy decision in place, organizations will need to establish additional safeguards around data transfers.

Risk professionals can work with their organizations to understand the ruling’s wider operational, financial and strategic impacts on the business. Inevitably, any data protection impact assessment will involve investigating alternatives for personal data transfers that are still valid under the GDPR.

The main alternatives are standard contractual clauses (SCCs) and binding corporate rules (BCRs). SCCs are standard sets of terms and conditions that the senders and receivers of personal data both agree to. BCRs are data protection policies that are designed to allow multinational companies to transfer personal data from within the EEA to their subsidiaries located in other countries. There is considerable complexity involved with both, so it is important to investigate whether they are suitable for the specific personal data transfers that the organization requires.

Nine Critical Next Steps

Organizations should reassess their data strategy in response to the CJEU’s ruling. Risk professionals can play an important role in supporting their organization by addressing these nine key activities:

1. Reexamine data strategy at an organizational level. What data is being transferred across borders and why? Is it necessary to transfer the data or can it be simply gathered and stored in-country? Organizations should consider how they can modify their strategies to ensure an adequate level of protection when sharing personal data.

2. Perform data-flow mapping exercises. These will help organizations build an in-depth understanding of their cross-border data flows. An organization should understand what data it is exporting, where it is sending the data, who is receiving the data, for what purpose, and how long it is being kept. Does the data still hold value for the organization or is it being collected, stored and transferred unnecessarily?

3. Identify appropriate cross-border data transfer mechanisms. For international organizations, these mechanisms are likely to be binding corporate rules. Nevertheless, the development, endorsement and implementation of BCRs is typically a complex and time-consuming process, so it should be viewed as an extended project.

4. Design robust consent management processes. When relying on derogations as a data transfer mechanism, consent management should be properly designed. Consent must be explicit, specific and informed. In addition, consent should only be used under certain conditions—for example, consent should not be used for very large or recurrent transfers.

5. Evaluate additional safeguards for BCRs and SCCs. These safeguards will be necessary to ensure that cross-border transfers involving EEA data receive the level of protection equivalent to that in the EEA itself.

6. Update privacy policies and procedures. Privacy should be designed into the data transfer process. Transfers should be limited to what is reasonable and necessary. Data protection impact assessments should consider the legal regime in third countries, as well as the potential for public authorities to access the data.

7. Apply identity and access management/privileged access management. Organizations can reduce their risk of breaching the CJEU ruling by better controlling and safeguarding access to their data. This means conducting a review of who can access the relevant data and limiting that access to a select group of individuals. Where possible, it also means reducing the amount of personal data that even this select group can retrieve.

8. Implement privacy by design into systems architecture and business practices. When privacy measures are reflected in technical architectures and business practices, they help to ensure acceptable levels of data protection.

9. Use encryption, anonymization and pseudonymization. By applying these security techniques, organizations can address and manage specific concerns around surveillance.

Stronger Strategies Through Compliance

Invalidation of the EU-US Privacy Shield creates a new set of data-related risks for organizations to manage. Risk professionals can provide valuable support for this process by helping their organizations to rethink data strategies, particularly the use of data transfers. While it will take time and effort to implement alternative cross-border data transfer mechanisms, the exercise can also be an opportunity for organizations to design and incorporate privacy mechanisms into their policies, practices and systems, and find more effective approaches for managing and transferring data in the future.

Kris Lovejoy is global cybersecurity leader at EY.