EU-US Privacy Shield Is Dead, but the Risk Is the Same

Since 2016, thousands of US companies with international footprints have relied on the EU-US Privacy Shield to transfer data on EU citizens to the United States. However, the operational benefits provided by the Privacy Shield are no more. But that doesn’t mean the risk has changed.

Yes, it will be difficult to comply with the new rules but the same underlying risk is there: compliance with European privacy laws. Fortunately, companies can transfer risk related to data privacy with cyber insurance.

Brief Background on Privacy Shield

The EU-US Privacy Shield allowed US companies with global locations to transfer data originating from the EU to the US in a way that was compliant with European privacy laws.

The Privacy Shield provided the ability for companies to comply with EU privacy laws through a self-certification process. By self-certifying that specific controls were in place, companies could presume compliance with the data privacy laws of the EU.

However, on July 16, 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland and Schrems (“Schrems II”) stated Privacy Shield was no longer valid. The primary complaint was that Privacy Shield didn’t protect users from US authorities accessing the data nor did it give data subjects any sort of redress.

Famed privacy advocate and lawyer Max Schrems headed up the complaint. And it wasn’t the first time this issue was brought to light. Back in 2013, Schrems had a similar complaint against Facebook (“Schrems I”) and in 2015, the CJEU made the precursor to the Privacy Shield, known as the International Safe Harbor Privacy Principles, invalid.

After that, the new Privacy Shield aimed to address the issues that arose in Schrems I. But just like Safe Harbor, Privacy Shield allowed companies to continue to self certify. Schrems II argued that Privacy Shield had the same issues as Safe Harbor (relating to US authorities accessing the data and no redress) and that it was still an ineffective means of handling data.

The court sided with the plaintiff’s arguments and struck down Privacy Shield in favor of EU standard contractual clauses.

Contractual Clauses for Data Transfer

Now that Privacy Shield is no more, the EU is relying on standard contractual clauses (SCCs) as a way to safely approach data transfer from the European Economic Area (EEA).

SCCs are standard sets of terms and conditions that ensure compliance with the requirements of European privacy laws for handling data within countries that do not measure up to the EU’s expectations for privacy rights--like the US.

The EU has currently released three sets of contractual clauses, which can be found here. While these contractual clauses are a valid mechanism for data transfer, the burden remains on companies to ensure that the destination country will ensure adequate protection. If conflicts arise, the data exports should be abandoned, according to the law.

Since the CJEU already brought to light the issues related to US government access to transferred data, this is a tricky situation for US companies.

The Risk Is the Same

So where does that leave us? For one, the risk hasn’t changed. The real risk that was presented by both the Privacy Shield and SCCs is the risk of non-compliance with EU privacy laws.

The downside of not complying with European privacy laws was already massive. For example, violations of data transfer under GDPR can result in fines or penalties from a regulator of up to approximately $24 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Further, many US-based companies which are processing data on EU citizens on behalf of EU companies were already agreeing to contractual remedies with those EU companies for a failure to comply with EU privacy laws. With the Privacy Shield declared invalid, those contractual remedies remain the same.

The key differentiator now is that it’s going to be harder from an operational standpoint to comply with SCCs versus the old way of self-certifying under Privacy Shield.

In other words, the risk is the same for US companies but the operational aspect of complying will be even more cumbersome. Companies can reasonably expect increased scrutiny by authorities, individual data subjects, and the companies exporting data to the US regarding these data transfers.

Transferring Privacy Risks

Faced with a considerable amount of risk, for many companies the next logical step is to transfer it. When many people think cyber insurance, they immediately think of cyber security and hacking.

But cyber insurance also provides coverage for data privacy, including the risk associated with an invalid data transfer. In fact, policies used to be known as “Privacy and Network Security Liability” policies.

This coverage can respond to everything from liabilities required in a contractual obligation to government and law enforcement regulatory investigations.

This would cover legal expenses, fines, and/or penalties incurred if a company were to find itself embroiled in legal woes coming from an official authority or a data subject regarding a privacy law violation.

There is no grace period for companies that utilized the Privacy Shield to comply with the EU privacy laws, so the risk is clear and present. After certifying compliance with the EU privacy laws with the local regulator, ensuring you have adequate cyber coverage is the next best step for US companies that plan to transfer data from the EEA.