This week, the European Court of Justice in Luxembourg ruled that the EU-US Privacy Shield agreement does not comply with European privacy rights (Court of Justice of the European Union Press Release No 91), on the grounds that the US is not a safe haven for EU citizens’ data due to disproportionate surveillance practices. Privacy Shield, created in 2016, allows businesses in the European Union and the United States to move data with ease between the two regions.
What does all this mean?
Firstly, this situation is not new; we have been here before. The same court struck down the Privacy Shield’s predecessor, Safe Harbour, in 2015 (Court of Justice of the European Union, Press Release No 117/15, 2015). The replacement for Safe Harbour — Privacy Shield — is used by 5,378 organisations who are registered to use the agreement actively; a further 709 organisations are registered as inactive users. These companies reside in the U.S., E.U. and Switzerland. If you are not one of these companies, you are not directly impacted. If you are one of these companies, you are now in limbo.
Eduardo Ustaran, a privacy lawyer at Hogan Lovells, in London recently commented to the New York Times: “The practical effect is actually huge. Any company that wants to transfer data overseas must now check the powers of other countries to have access to that data.”
Simply put you can no longer rely on Privacy Shield as a framework for data processing.
This is a reflection of an ongoing struggle to balance the needs of the European citizens’ privacy on one hand and the desire to facilitate trade on the other hand. In addition, concerns over mass surveillance used in the U.S. has grown significantly since the 2013 Edward Snowden revelations (Post-Snowden Efforts to Secure N.S.A. Data Fell Short, Report Says - The New York Times, 2017).
The European Court’s decision directly impacts the 5,000 organisations using Privacy Shield. It highlights areas that should be of concern to all European Union and Swiss data controlling and data processing organisations. Those impacts are that GDPR (European Union, 2016), both in the letter and the spirit of the law, is taken seriously in Europe and that GDPR compliance will be enforced.
Where possible, processing E.U. citizen’s data within the E.U. is going to be the more straightforward and less risky option. This is because the data processing will not need to rely on a legal framework, such as Privacy Shield and that could be challenged or struck down. Where there are third-party processors involved, organisations will still need to ensure that their data resides where they specify and that the data processor cannot relocate it without their prior approval. However, whilst many data processing agreements specify the preferred data residency location, they do not guarantee it. And of course, they need to ensure that the data resides in a controlled and secure environment where industry-leading security is built-in.
On Thursday, July 16, 2020, in a case examining transfers of data from the EU, the Court of Justice for the European Union issued a ruling invalidating the use of Privacy Shield. The EU-US Privacy Shield Framework was developed and agreed to by the European Commission and the US Department of Commerce in 2016. It enabled US organizations certified under the programs to legitimately receive personal data from the EU. The court did not specify if there would be a grace period for organizations who are reliant on Privacy Shield for data transfers to implement another transfer mechanism, and it is anticipated that guidance will be forthcoming from EU data regulators. European Data Protection Board announced it is ready to work with the US to create a replacement data transfer framework.
Despite the uncertainty around Privacy Shield customers can be assured that Proofpoint has been, and will continue to be, committed to complying with applicable data protection law. That commitment had previously included overlapping protections under both the Standard Contractual Clauses and Privacy Shield frameworks as well as robust privacy and security measures in accordance with GDPR, the Australian Privacy Act and most recently, the California Consumer Privacy Act. Proofpoint will also continue to have annual security audits and penetration testing performed by independent auditors and testing organizations. Proofpoint will continue to process all data with all protections required under applicable data protection law. For more detailed information on Proofpoint’s commitment to data protection, please refer to our Trust Site at https://www.proofpoint.com/legal/trust.
As a Privacy Shield-certified organization, Proofpoint understands that existing data processing agreements may need to be updated with an alternative mechanism. As the Standard Contractual Clauses remain a valid mechanism for data transfers from the EU to the US, any customer wishing to enter into the Standard Contractual Clauses can do so by signing a Data Protection Agreement including the SCCs, which can be found at: https://www.proofpoint.com/legal/trust/dpa. Finally, data transfers from Switzerland to US and the UK to US under Privacy Shield are still valid.
In conclusion, the European Union and data privacy activists such as “None Of Your Business” (noyb.eu) are going to stay active as long as U.S. surveillance laws remaining unchanged.
While the court decision to invalidate Privacy Shield raises an immediate issue for impacted organisations, it is a concern for all data controlling and processing organisations who need to ensure that personal data is stored and processed within the right security framework, access framework and data residency options.
Proofpoint’s data privacy agreement, including the SCCs, can be found on Proofpoint’s Trust site.