"There are concerns that data protection authorities may have different requirements for SCCs moving forward, so companies should seek legal advice to ensure their SCCs are completed correctly."Jodi Daniels
On July 16, the European Union’s top court overturned the 2016 Privacy Shield agreement that allowed data sharing of EU users with US companies, citing companies’ inability to protect European users from surveillance by US intelligence.
The European Court of Justice (ECJ) struck down the transatlantic transfers after Max Schrems, the privacy advocate behind the case, argued the US lacks a comprehensive, GDPR-style federal privacy law that would safeguard EU users.
So what does this mean for the more than 5K companies that rely on Privacy Shield for GDPR-compliant data transfers?
We’ve enlisted the help of two privacy pros to navigate this latest data privacy conundrum: Red Clover Advisors CEO Jodi Daniels will outline the next steps US publishers will need to take. Adzerk Principal Product Manager Larry Karnowski will explain how tech vendors can continue to transfer EU user data safely.
Please note: This article is for informational purposes only. Please seek legal counsel to determine how the Privacy Shield ruling affects your business.
What US publishers need to know
From the EU’s standpoint, Privacy Shield has ended and there is no grace period for the US companies left wondering how to ensure GDPR compliance for the bulk processing of EU user data they currently outsource.
Individual data transfers — those necessary for companies to maintain user expectations (e.g., booking a flight on Expedia, sending a message via Gmail, website personalization on Amazon, etc.) and for which users have granted consent — can most likely continue under the GDPR’s ‘legitimate interest’ clause.
What US publishers need to do
The European Data Protection Board (EDPB) has issued FAQ for EU companies that address many of the most pressing questions shared by US companies. The US Department of Commerce has also published an updated FAQ to its Privacy Shield Framework.
Jodi Daniels helps us view these through a publisher lens and offers actionable next steps:
Should I maintain current Privacy Shield protocols to avoid litigation by US partners?
Publishers should maintain their current Privacy Shield protocols for a few reasons:
- First, you need to honor the commitment you made for all data collected before Privacy Shield was invalidated.
- Second, the obligations you’ve honored under Privacy Shield are the same obligations in your Standard Contractual Clauses (SCCs); you’ve already committed to the good privacy and security practices that certified you under Privacy Shield.
Can I fall back on the Standard Contractual Clauses (SCCs) in my Data Privacy Agreements (DPAs)?
Yes, you should rely on your Standard Contractual Clauses and make sure you can meet all of the criteria outlined in them.
How does this change how I transfer EU user data — for instance, via AWS (Amazon Web Services)?
AWS and other data processors have oodles of customers relying on them, so they’ll also need to rely on their SCCs to continue doing business with you.
Do smaller publishers have an advantage over large publishers like Facebook?
I don't think there's an advantage if you’re small or large; any company that is transferring data from EU users is going to be at risk. The volume of EU data transfers is more indicative of that risk than company size.
Next steps for US tech vendors
As a data processor, Adzerk and other tech vendors are also affected by the Privacy Shield ruling. Principal Product Manager Larry Karnowski has reviewed the SCCs in Adzerk’s Data Processing Agreements (DPAs) and ensured customers that Privacy Shield protocols will be maintained. It’s important that every company have a documented, legal way to transfer data outside of the EU or risk steep GDPR fines.
"I strongly recommend that EU and US companies review your agreements with all vendors and customers. Make sure all your up- and downstream Data Processing Agreements include valid SCCs. Also, now is a great time to clean house on the data you are collecting and transferring."Larry Karnowski
What might happen next
While we anticipate major pushback from US companies in the coming weeks, it’s hard to predict how the EU might respond, given what they see as a final decision.
Some in our industry predict a data privacy trade war; others, like Jodi Daniels, predict this is another push towards a federal US privacy law on par with the GDPR.
“This could be where large companies — with the large budgets to manage the legal fees — could have an advantage, as without Privacy Shield, moving data across borders is neither ideal nor efficient.” Jodi adds, “I’m hopeful that the leading multinational companies relying on Privacy Shield can move us towards a more meaningful national privacy law, so the EU sees the US more favorably, like our Canadian neighbors to the north.”
We’ll continue to follow this story and share updates as they become available.
Jodi Daniels is the founder and CEO of Red Clover Advisors, a boutique privacy consultancy that helps companies build customer trust while complying with global privacy laws such as GDPR and CCPA.
Larry Karnowski is a Principal Product Manager at Adzerk, a suite of APIs that make it easy to build custom ad servers.
Thanks to Jodi and Larry for sharing their insights and expertise.