The EU-U.S. Privacy Shield was invalidated by the ECJ in July this year. The changes came into effect a month later but were the businesses prepared for this? What are the instant ramifications of this verdict? Is there a way out? How are the MSMEs coping with this sudden change? Was the change really required or was the verdict too harsh? What does the future behold? That’s a lot of questions with few answers.
In a fireside chat with Mihir Bagwe, Tech Writer at CISO MAG, Robert Meyers, Channel Solutions Architect at One Identity, answers the What, When, and How on this subject. An accomplished and experienced IT professional himself, Robert has been instrumental in providing strategic direction, management, planning, and operational support for all the organizations he has worked with. Additionally, he implemented and trained internal teams and clients on MOF, ITIL, Project Management, and various technologies focused on biotech, health care, financial, and manufacturing spaces. His broader experience covers a host of other fields including telecommunications, networking, system engineering, administration, service desk, data center operations, and information technology security.
Let’s take a look at the edited excerpts of the Q&A session:
1Establishment of the EU-U.S. Privacy Shield
A. Although U.S.-based companies were already using SCCs to authorize the transfer of data across the continents, the Privacy Shield was established with transatlantic commerce specifically in mind. It provided a mechanism for U.S.-based companies to comply with data protection requirements to the standard of EU privacy regulations. The idea was to simplify the regulating requirements. Interestingly it had some of the same fundamentals as the GDPR, like self-certification that a company is following them. However, this proved to not be a valid mechanism for companies as privacy professionals have been urging companies to convert to SCCs after the European Commission’s recent decision. Honestly, this was something many expected to have happened.
A. SCC stands for Standard Contractual Clauses and facilitates data transfers between EU and non-EU countries. The European Commission has decided that SCCs offer sufficient safeguards on data protection for the data being transferred internationally. The EU-U.S. Privacy Shield was an agreement specifically between the EU and the U.S. It allowed the transfer of personal data from the EU to the U.S., whereas the SCC covers a broader range of countries. One component that many people do not realize is that in SCC, one of the things you are in essence protecting against is state actors, including your own.
3Instant Ramifications of Invalidation
A. The EU-U.S. Privacy Shield being declared invalid has virtually blocked data transfers between the two continents and could impact the daily activities of organizations storing information about Europeans in the U.S. Ideally, U.S.-based companies should look to convert to SCCs to maintain transferring data across the Atlantic because there is no other alternative available in the foreseeable future. The limit on how many things it impacts are nearly all fields, from e-commerce to social media, to medical research.
4The Role of Schrems II
A. This is where it all began. Schrems II invalidates the EU-U.S. Privacy Shield while validating the use of SCCs. Before giving the verdict, the future of EU-U.S. data flows and data transfer mechanisms were examined. The Privacy Shield was then invalidated due to the lack of trust in the U.S.-based companies, and the lack of standing European citizens held in the court created by the Foreign Intelligence Surveillance Act.
5What’s the Catch?
The ECJ has additionally recommended that data protection authorities (DPAs) should suspend or prohibit a transfer of personal data to a third country if they believe that the country in question cannot comply with the standard data protection clauses and GDPR. This means the U.S.-based companies that have not yet converted to SCCs can have their cross-Atlantic operations suspended.
One thing to remember is that SCCs are used in many countries where the protections are significantly less than in the U.S.
6Effects of SCC on MSMEs
A. Converting to SCC is currently mandatory and technically beyond one’s control. However, the best way at the moment is to pick one of the pre-written SCCs, that fits the best they can, and use it. The fact is that it will not be a large change in the way the work is done in order to maintain transferring data between the EU and the U.S. Additionally, while the paperwork may be different, the tasks are by and large the same as was faced when using the Privacy Shield.
7Scope for Reconciliation?
A. They have been, and the problem is that there is a fundamental difference between the way the U.S. and EU view data privacy. In the U.S., most hold data as needing security and therefore gaining privacy. In the EU, it is understood that data is just information, and people need privacy. That fundamental difference is hard to get around at the best of times. The EU holds the U.S. government to a higher standard than it holds itself, and thus, there is a fundamental rift that needs to be understood before it can be corrected. The first step towards solving the puzzle for the two is the need to come to an agreement on the definition of what privacy means. Then there is a possibility of building a new treaty. However, I doubt many privacy professionals would recommend anything other than SCCs for a long while.
8What the Future Beholds
A. Before starting anything, aim at the hardest local standard in the U.S. – the CCPA. Additionally, make sure your infrastructure has implemented all the 20 components of the SANS CIS 20 (a minimum requirement for CCPA as per the CA DoJ), and then work through the SCCs and GDPR controls. But always start closer to home and you will be surprised how much easier it is to complete.
About the Interviewer
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.