We live in a global, interconnected world. And that goes for data – and data security – along with everything else. For evidence, look no further than the Court of Justice of the European Union’s (CJEU) Schrems II judgment. If you’re based in the U.S., for example, a European court decision might not seem like it would have too much bearing on what you’re doing with data. If you’re transferring personal data internationally, however, you’d be very much mistaken.
The recent Schrems II ruling, made in July, fundamentally alters the existing framework dictating the transfer and processing of data from the EU to the U.S. Suddenly questions surrounding the international transfer of data, which is so important for thousands of U.S. companies, have been thrown wide open.
Invalidating the Privacy Shield
Under GDPR, the General Data Protection Regulation framework introduced in 2016, EU-U.S. data transfers were enabled under something called the Privacy Shield. A crucial part of transatlantic digital trade, the EU-U.S. Privacy Shield was an agreement between Europe and the United States which allowed personal data to move from one to the other, so long as the U.S. recipient conformed to certain privacy compliance standards matching EU privacy laws.
According to the University College London’s European Institute, more than 5,300 companies relied on the Privacy Shield, with the majority of them being small-medium enterprises (SMEs) and startups. U.S. Secretary of Commerce Wilbur Ross has said this transatlantic trade is worth $7.1 trillion.
Schrems II invalidated this Privacy Shield. The name refers to privacy activist Maximillian Schrems, who undertook legal action against Facebook Ireland as the result of its transfer of his personal data to the United States. The earlier Schrems I invalidated an existing EU-U.S. Safe Harbor agreement. Schrems II was ultimately decided in July 2020, when it was ruled that this transfer was unlawful. One of the main causes for concern was the role that U.S. surveillance and national security policy plays in intercepting data under certain conditions. As a result of Schrems II it was made clear that the Privacy Shield was not fit for purpose for its job of protecting the data of EU individuals.
It affects businesses in a big way
All of this isn’t just of interest to privacy advocates, however. As noted, it has a significant impact on businesses. Changes that need to be made range from the creation of data maps tracking all EU personal data that is transferred outside the EU to, in some cases, companies changing their processing options for data, such as cloud services, so that the data belonging to EU citizens does not leave the EU at all. The reviews and changes also need to include all vendor sub-processors involved as part of the journey.
The full impact of Schrems II has yet to be seen. It could permanently alter the transfer of data to the U.S. or simply be a speed bump on the way to a new EU Standard Contractual Clauses or Privacy Shield 2.0 mechanism being put into place.
Nonetheless, Schrems II highlights how strong data security is more vital than ever. No longer protected by Privacy Shield, U.S. organizations must take extra steps to ensure that they are compliant with changing regulations. Events like data breaches, which have unfortunately become more common in recent years, are now even more likely to be punished under GDPR rules. Personal data can still be transferred to the U.S. and other jurisdictions via standard contractual clauses (SCCs), but these non-negotiable legal contracts must be examined on a case-by-case basis.
Data security is complex. But there are answers
Data security was already a complex issue before Schrems II and the end of EU-U.S. Privacy Shield. Now it is even more so. Whether it’s to avoid crippling fines, the forced termination of services or just maintaining customers’ trust and maintaining your reputation, this is the moment to improve data security. Bringing in professionals to help is one of the smartest moves you can make. They can provide granular context about how your data is used, by whom, using the latest machine learning tools.
They should also be able to assist with security, compliance, and monitoring to ensure that you are not caught out by processes you are unaware of. (That’s in addition to helping protect you from other more malicious threats to the sanctity of data, such as potential hacks.)
July’s Schrems II ruling highlights just how quickly the landscape can change when it comes to data security. It’s a dynamic, ever-shifting landscape and it’s essential to be vigilant when it comes to what is expected (and demanded) of you as a business owner. Taking proactive steps to make sure that data belonging to your customers is properly protected is a lesson every company should learn. The rules may change, often with very little warning. But practicing good data security will always serve you well when running a data-heavy business or organization.