The pen is said to be mightier than the sword and now we find that the gavel is mightier than the shield.
On July 16, 2020, the European Union Court of Justice (ECJ) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). The court determined that the Privacy Shield transfer mechanism does not comply with the level of protection required under EU law, namely GDPR.
The decision will impact thousands of companies in the EU and the US and drastically change the way we trade data across the Atlantic. With so many ESPs either US based or within US group companies there are likely to be profound effects on the email marketing marketplace. If however, you are already an e-shot customer you do not need to be concerned about the new ruling as e-shot is entirely UK based, but of course this new ruling has far wider reaching implications than purely for email marketing so here is all the information that you need to know.
What Is Privacy Shield?
The Privacy Shield is a framework approved by the European Union and US government for complying with EU data protection requirements when data is transferred between the United States and the European Economic Area (EEA). It's not mentioned in the General Data Protection Regulation (GDPR), but it was spun out of GDPR as a way to meet the regulation's requirements.
Organisations were deemed to provide "adequate" protection of personal information as required by the GDPR if they conformed to the seven Privacy Shield principles.
Why was Privacy Shield invalidated?
As you can imagine, the decision was incredibly complex, but the court had two main issues with Privacy Shield.
The first issue is that US law enforcement can gain access to personal data that is transferred under Privacy Shield. The court argues that US policies prioritize national security over the rights and freedoms of EU data subjects. They claim law enforcement can access more data than what is strictly necessary, which violates the GDPR.
Safe Harbour failed at the ECJ in 2015 for the same reason: NSA and similar agencies have excessive access to personal data.
The second issue is that Privacy Shield requires the appointment of an ombudsman. The position exists, but the appointee lacks the authority to make binding decisions on US government and intelligence agencies, which means EU data subjects lack actionable rights in the US court system against government violations. This conflicts with EU law that requires EU data subjects to have a mechanism to redress privacy violations.
The result: Privacy Shield is no longer a valid lawful basis on which to transfer personal data from the EU to the United States.
So now what?
The EU-US Privacy Shield system "underpins transatlantic digital trade" for more than 5,300 companies. About 65% of them are small-medium enterprises (SMEs) or start-ups, according to University College London's European Institute.
Affected companies will now have to sign "standard contractual clauses": non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US. And whilst the validity of these agreements was also challenged the ECJ chose not to abolish them. However a question mark remains how long this will be the case and if their card is now also marked.
Data protection expert Tim Turner agreed, saying the ECJ's warning over the standard clauses could spell further trouble for US companies.
"If the law in the relevant country - let's say the USA - could override what the contract says, they don't work," he said. "I don't think SCCs escaped the court's judgement - for some key countries, it's probably just a stay of execution."
All this could mean further difficulties for US Data handlers operating within the EU, and whilst they continue to rely on SSCs in the short term, this may not prove to be a long term solution – so where data is concerned it is safer to work within the EU jurisdiction wherever possible to ensure that you are safe.
Advice from the ICO
The European Data Protection Board (EDPB) has now issued its FAQs on the invalidation of the Privacy Shield and the implications for the Standard Contractual Clauses (SCCs), and, despite of Brexit, this guidance still applies to UK controllers and processors. It is recommending that companies conduct risk assessments as to whether the SCCs provide enough protection within the local legal framework.
e-shot customers don’t need to worry
For e-shot customers this new ruling need not cause concern as all of e-shot’s infrastructure and data management along with the complete customer facing operation is based in the UK.
For more information on our infrastructure and security visit our Trust centre.
We are confident that we can help you, which is why we offer a free healthcheck to identify potential issues with your current programme and free advice on things that could be done to improve it.