the EU-US privacy shield: What's next forENTERPRISES?

Editorial Type: Date: 11-2020 Views: 626 Tags: Security
A new ruling has shaken up how the EU and U.S. regard data protection and data privacy

The European Court of Justice (ECJ) judgment invalidating the EU-US Privacy Shield has caused uncertainty for many enterprises and presented them with challenges on how to handle private data. In the long term, this ruling offers European enterprises valuable chances for reassessing data-driven business models and re-imagining them in a way that is compliant with the required protections of personal data. Things may not be so simple for US enterprises seeking trade in Europe.

As with its predecessor, the Safe Harbour Privacy Principles, overturned in 2015, the EU-US Privacy Shield determined that transferred data in the United States was not sufficiently protected under the current EU law (GDPR) demands. Standard Contractual Clauses, which constitute the foundation on which many enterprises transfer data to the USA, continue to be valid. If, however, it turns out that, despite these clauses, data protection in the United States (in real and concrete cases) does not take place, this last remaining legal basis will undoubtedly be invalidated as well.

Private digital data is increasingly valuable and is a highly sought-after resource - 'the new gold'. There are different motives when it comes to processing and using data, namely:
= For more effective monitoring and control of an entire population
= For the pursuit of one's own geopolitical interests
= For the benefit of specific economic interests
= With focus on data protection and the rights of individuals.

Cloud computing and the networking of a wide variety of systems mean many European companies send data streams to the United States, where the international market leaders, the so-called 'big players', are based. The ECJ's ruling means there are many enterprises that are compelled to act now.

We asked Cryptshare CEO Mark Forrest to offer his thoughts on what has transpired:
What are the key takeaways from this ruling?
Mark Forrest: This ruling did not take place in a vacuum. We are looking at 20 years of legislation: From the Safe Harbour Privacy Principles to the EU-US Privacy Shield, the practice of self-certification had enabled companies to tick a box and say, "Yes, we comply". They did not have to prove their compliance, rather their non-compliance had to be proven. This practice has now been ruled invalid.

European legislation demands that privacy requires specific top priority guidelines. In the United States, other factors are in the foreground: National security takes precedence over data protection concerns, meaning privacy gets put aside, or is diminished as a consideration. With this ruling, there are penalties in place that can be large for companies that breach the EU requirements and the case against Facebook has been re-opened.

The US has a strong national agenda; their economic interests and national security concerns don't necessarily align with EU data protection laws. The question now is how the US will respond. Will US companies be fined for violations of GDPR or could US intelligence agencies be restricted in their access to the personal data of European citizens? We should expect some debate; with national security, it is a two-way street. Data-driven business with high economic value is more biased to US interests.

What are the implications for European enterprises?
MF: Many will look at this and think, "There is nothing we can do". Most use tools provided by third parties from outside the enterprise and there is a high dependency on external contractors. In today's world, there is no going back from using office tools, databases, analytics tool, integrations…it is not only cloud service providers offering these, and the biggest players are in the US; in Europe, we have fewer data-driven businesses, and many promising EU based technologies and start-ups have been acquired in their infancy.

If you remove those tools because US companies don't meet the required standards of GDPR, many EU companies can't function well. European enterprises are required to comply with all data protection laws, so they must identify any areas where they don't and take action. If they fail to do so, they risk getting dragged into a maelstrom of fines. The potential financial consequences of this ruling are huge.

What can enterprises do, in concrete terms?
MF: This ECJ ruling was effective immediately. So, it is important for enterprises to act now and mitigate the potential risks. European companies operating mainly in Europe already have a high standard to meet, namely the GDPR; they run into trouble when they employ the services of companies that don't comply. European enterprises need to divert the risks that suppliers can cause for them and require their compliance with any applicable EU data protection laws. Eventually, there will be a new agreement increasing the pressure on the US to change priority, but until then businesses must ensure their compliance with today's legal reality.

How has Cryptshare reacted to this?
MF: Enterprises must comply the way they needed to before. For European companies operating in Europe, we already have a high standard, which we help companies to meet. Data is one of today's most valuable assets; entire business models are built on it. Therefore, it greatly matters where this data goes and what happens to it, once it is there. Enterprises need a product like Cryptshare to protect their data in transit, and make sure it remains safe between senders and its intended recipient, not falling victim to predators that include data-driven businesses, bad actors and governments both legitimate and malign. That is the essence of the ECJ ruling.

Where can transatlantic data privacy agreements go from here?
MF: Action is required from all parties; politicians must draft a new agreement between the EU and the USA that constitutes a sustainable and resilient basis for all future data transfers to the USA, and this must be done quickly. In order to stand up to the scrutiny of the ECJ, any agreement must ultimately meet the data protection requirements that EU standards demand.

In the United States, other factors are clearly given priority, namely their economic interests and their intelligence agencies' wide-reaching powers to access personal data, regardless of its origin or location. They have so far shown little willingness to make concessions to European data protection laws, should they come at the expense of their national interests. It currently seems that it will be up to Europe to make its own demands for data protection and data privacy a reality, as the US seems unwilling to concede ground.
To find out how enterprises can exchange sensitive messages and files in a secure, traceable and compliant way, go to: