Have you heard the news about Privacy Shield? This week, the European Court of Justice has basically just said that it is no longer valid.
This is a complex and far-reaching issue and something that we’re sure we’ll come back to. But for now, we’ll try and explain what we see the issues to be for businesses going forward.
What is Privacy Shield
Privacy Shield was an agreement between the US and EU around the transfer of data. This basically meant that any data which moved between the two was deemed to be safe. The agreement came into force in late 2016. This basically meant that US companies who processed EU data had to ensure that any data was stored in agreement with what was stipulated by the European data protection authorities. In short, it needs to live up to the standards which are laid out in the EU by the GDPR rulings.
A case was brought by Maximillian Schrems against Facebook Ireland. The case initially was to be heard in Ireland, however, it was referred to the European Court. Although the initial case was not about Privacy Shield as such, it quickly became part of the case. The EU court found that Privacy Shield did not offer the same protections to data as those provided within the EU. The ruling instantly invalidated Privacy Shield.
Within all this, there are also Standard Contractual Clauses (SCC’s) which are, at this point, still deemed to be valid.
This ruling has come as a bit of a shock, as data privacy is reviewed regularly. So no one was expecting this to happen.
What does this mean?
At the time of writing there hasn’t been much of an update from the ICO about this. The latest update is here
However, this has a wide-ranging impact on the transfer of data. For example, if you look at something as simple as embedding Google Maps into a website, that will be transferring data, which is now no longer supported by the EU.
Of course, this could be just the tip of the iceberg. In theory, anything, where data is transferred over to the US, is going to be an issue unless there are other measures in place.
But it’s not all bad news. AWS (Amazon Web Services) has recently issued a customer update which states that they are still compliant as they are using SCCs, and these are still deemed to be a valid method of securing data to transfer it outside the EU.
The other positive in this is that most of the companies which are transferring data across the pond are likely to be huge companies who rely on this flow of data. This means that they’re not likely to just ignore this.
As the situation is going to evolve, at present, our advice would be to keep an eye out for any updates which come out from either your software vendors or the ICO. There are likely to be a lot of updates which come in the following weeks.
We will keep monitoring this to make sure we’re armed with the latest information to pass on to our customers as needed.