So Long, Privacy Shield

Paul Sonntag, Director, GDPR and Privacy

In what’s rapidly becoming the splashiest news to hit the privacy space in years, the Court of Justice of the EU (CJEU), the highest court in the European Union, invalidated the U.S. Privacy Shield, a legal instrument that made it possible for organizations operating in the United States to transfer EU personal data to the U.S.. To add to the impact, the CJEU provided no grace period for this change, meaning that the 5,000+ organizations currently enrolled in the Privacy Shield program are effectively out of compliance as of the decision’s publication on July 16.

Prior to this decision, there were four main avenues a U.S.-based organization could use in order to transfer data out of the EU:

  • Privacy Shield: The lamented and now invalidated U.S. Department of Commerce program requiring participating organizations to maintain a privacy policy enshrining seven “principles,” (notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability). The EU’s acceptance of the Privacy Shield assumed reliable enforcement, for which the Federal Trade Commission is responsible, as well as an ombudsman to which EU citizens could appeal for redress if they believed their personal data was being misused, and which would be presumed to have the authority to overrule U.S. federal law enforcement and surveillance activities.
  • Standard Contractual Clauses (SCCs): Model contractual language published and maintained by the European Commission that establish a legal mechanism for transfer when included in the contract between a European organization transferring data to a U.S. counterpart. These clauses are chiefly used as part of an agreement between two companies, or between a U.S. company and its European agency. Notably, Facebook relies on SCCs to establish transfer adequacy.
  • Binding Corporate Rules: Standard privacy and security controls the organization implements to govern its collection and use of EU personal data. These must be approved by the EU member state Data Protection Authority (DPA) in which the organization is mainly operating, and typically require annual assessment and validation.
  • Standard Derogations: Exceptions specifically called out in the GDPR for transfer, which include explicit consent from the data subject, and any transfer required for the performance of a contract.

The case, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, also known as “Schrems II,” centered on the question of whether the SCCs could legitimately provide protection for personal data in the U.S. equivalent to what’s required in the EU in light of US data surveillance practices. In something of a surprise twist, the CJEU validated SCCs as an transfer mechanism (with some important provisions), but then pivoted and ruled Privacy Shield invalid on the grounds that it was inadequate due to the apparent lack of the ombudsman’s ability to exert any control over U.S. intelligence and law enforcement collection of European personal data.

This outcome wasn’t surprising for anyone who has been following U.S. and EU privacy matters for any amount of time. Many of the complaints levied against Privacy Shield were the same complaints from back in 2015 when the CJEU invalidated Privacy Shield’s predecessor, the U.S. Safe Harbor program. Europeans tend to view privacy as a human right, so they have never been comfortable with the American perspective, which tends to view privacy as more a question of monetizable business assets and a cost of doing business. The perceived threat of the FISA courts (which along with notion that the NSA is tapping undersea cables for snooping is specifically called out in the decision) doesn’t help matters. Honestly, Privacy Shield’s fate was probably sealed from the beginning, so for years Coalfire has been advising our clients to use Privacy Shield only as a stopgap measure to achieve compliance while pursing more robust transfer mechanisms such as Binding Corporate Rules (BCRs).

So, what now? In its decision, the court emphasized the requirement that EU member state DPAs must take action to invalidate those data processing agreements based on the use of SCCs in which the protection they require can’t be reasonably assured. This creates a greater obligation for organizations collecting EU personal data to make certain that they not only have adequate privacy and security measures in place, but they are much more vigilant and demanding of the third-party data processors with whom they enter into data transfer agreements. The ‘sign-it-and-forget’ days of SCCs as standard contract template language are all but over. All organizations will need to be able implement and demonstrate solid privacy and security controls, including measures like end-to-end encryption. Those organizations relying on BCRs should assume a similar level of heightened scrutiny from their respective DPAs as well. Finally, those organization relying exclusively on Privacy Shield must take immediate action to identify and implement an alternate means of establishing a mechanism for transfer, such as pursuing BCRs.

Privacy has always been a dynamic and rapidly shifting space, and that’s never been truer than today. The rise of next generation data processing technologies such as artificial intelligence and machine learning, the wholesale migration to international cloud infrastructure, and the increase of customer awareness and trust expectations have already complicated the environment for organizations dealing heavily in personal data. The Schrems II decision, while every bit the system shock it seems, only underscores the need for strong, deeply integrated privacy controls, an understanding of the constantly evolving risks, and a crisp, agile approach to ensuring privacy and data protection at all levels of the organization.

Paul Sonntag

Author

Paul Sonntag — Director, GDPR and Privacy

Recent Posts

Post Topics

Archives

Tags

Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS
Top