The EU-US Privacy Shield Ruling: Staying Compliant

How does the European Court of Justice’s July 2020 ruling impact you and your data?

“Although the ruling invalidated Privacy Shield, the SCCs remain valid protecting our customers.”

On 16 July, the European Court of Justice (ECJ) invalidated Privacy Shield, a framework that allowed personal data transfers from the European Union and Switzerland to the United States, ruling that Privacy Shield does not live up to the data protection standards set out in the GDPR.

Our data privacy team immediately began the work to understand what this ruling meant for our customers. “We have always provided overlapping protections with our Data Processing Agreements under both Standard Contractual Clauses (SCCs) and Privacy Shield frameworks,” says Cole Krems, Convercent VP and Global Head of Information Security and Data Privacy. “Although the ruling invalidated Privacy Shield, the SCCs remain valid protecting our customers.”

SCCs are likely to play a key role moving forward, since a Privacy Shield replacement could take up to a year to create and agree between the governments. While our work to identify and modify references to Privacy Shield and incorporate SCCs continues, we wanted to provide as much information as possible, as soon as possible. We collaborated with Keith Read, our Chief Compliance Officer and Advisor in Europe, to proactively answer some questions that we imagine ethics and compliance professionals may have.

What is Privacy Shield?

In general terms, personal data flows from the EU to non-EU countries (with the exception of the UK until the end of the Brexit transition period) are prohibited under the General Data Protection Regulation (GDPR) unless and until certain controls, processes and safeguards are put in place to ensure adequate data protection.

Privacy Shield is a framework permitting transfers of personal data from the EU and the UK to certified US-based organizations that have agreed to higher standards of data protection than those currently required under US laws, recognising that there is no single principal data protection law in the US. This requires greater cooperation between the US and European data protection regulators. Major services such as Zoom and Gmail have relied on Privacy Shield.

Privacy Shield replaced a previous framework called Safe Harbor, whose validity was successfully challenged in the Court of Justice of the European Union (CJEU) by data privacy campaigner Max Schrems.

What was the ECJ case and EU-US Privacy Shield ruling?

After Safe Harbor was successfully challenged, Schrems filed a second case in 2018, arguing that Privacy Shield also failed to protect EU citizens’ rights in accordance with EU laws.

Essentially, the ECJ case related to the issue that the EU-US Privacy Shield does not provide a comparable level of data protection to the GDPR; the ruling by Europe’s very highest court was that the scope and pervasiveness of the US surveillance framework (such as the US Foreign Intelligence Surveillance Act (FISA)) does not allow a sufficient degree of protection for European data, putting it at a risk that would violate rights afforded to citizens under the GDPR.

On 16th July 2020, the ECJ invalidated Privacy Shield, the EU-US agreement that allows transfers of personal data between the EU and some 5,300 certified companies and organizations in the US.

When did Convercent become aware of the ECJ ruling, and how are we responding?

Convercent puts very considerable effort into the monitoring of international legal developments, particularly in the fields of data privacy, whistleblowing, and employment

The ECJ ruling was given on Thursday, 16th July. Shortly after midday (BST) on Friday 17th July, a summary of the ruling was circulated to eight key individuals within Convercent to alert them to the ruling and its consequences; a team lead was immediately appointed to organise our response.

We have begun to identify and modify references to Privacy Shield and also incorporate Standard Contractual Clauses, but this is the first week post-judgement and that work continues.

Does the ECJ ruling affect Convercent’s customers in any way?

Clearly, the invalidation of the EU-US Privacy Shield is significant, but the ECJ’s ruling does not impact the ability to transfer data between customers and the Convercent application. Convercent has always provided overlapping protections. Our Data Processing Agreements incorporate the updated Standard Contractual Clauses (SCCs) from the European Commission, as well as European Data Protection Board (EDPB) recommendations on supplementary measures to ensure compliance with the EU level of protection of personal data.

Unless a customer chooses a US data storage option, customer data will still remain solely hosted in Europe and not transferred outside of the EU as its primary location.

Taken together, all these measures continue to ensure that Convercent meets, and exceeds, relevant data privacy requirements.

What about the regulatory position?

We continue to follow all official guidance. The UK’s Information Commissioners Office has specifically stated that it is “currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using Privacy Shield please continue to do so until new guidance becomes available.”

What is Convercent’s Data Transfer Mechanism?

Convercent’s contracts with its customers incorporate the Standard Contractual Clauses approved by the European Commission as Schedule 2. In the light of the regulatory guidance above, in addition to Standard Contractual Clauses, Convercent remains Privacy Shield certified with respect to Customer EU Personal Data that Convercent processes. Convercent will maintain its Privacy Shield certification during the term of the contractual agreement and, to the extent there is any conflict between the body of the Data Privacy Agreement, Privacy Shield, and Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

What do SCCs provide?

The ECJ specifically ruled that SCCs remain fully valid for protecting our customers’ data transfers.

SCCs are standard sets of contractual terms and conditions which the sender and the receiver of personal data both agree to, aimed at protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with the GDPR’s requirements.

The SCCs contain clauses regulating the transfer and processing of personal data which are deemed to be in compliance with the GDPR. Their adoption effectively creates a contractual basis for transfers between data-exporting controllers and data-importing controllers/processors, whilst assuring compliance with legal obligation for such entities and providing for effective safeguards to the data subject, irrespective of where processing activity may ultimately take place.

‘SCCs are used by many major companies and Microsoft, for example, has issued a statement saying that it already uses them and is unaffected by the ECJ’s ruling. If you’re a Convercent customer and you have questions about the EU-US Privacy Shield Ruling and your contract, please reach out. We continue to partner with our customers and value your role in complying with GDPR and individual rights.