Comment On 16 July, the European Court of Justice struck down Privacy Shield, an EU-US agreement that required American companies to sign up to a higher standard of privacy to be considered, perhaps somewhat condescendingly, “adequate*” for compliance with the bloc’s General Data Protection Regulations (GDPR).
You will no doubt soon be buried under articles taking apart this decision in detail, but allow me summarise most of them for you: US-based facilities handling information of EU citizens will now require their explicit permission, or the EU’s rather painful GDPR fines may loom.
There are a number of business communication gotchas to be aware of.
Privacy Shield binned after EU court rules transatlantic data protection arrangements ‘inadequate’
When an organisation’s only customer interface is via Facebook or Twitter (to name the main ones), it forces customers to agree to terms that harm their privacy in order to communicate. Granted, that’s not entirely the organisation’s problem, until such time as customers are left with no other option because, for instance, it is a utility.
That has not changed from when Privacy Shield was OK for those who preferred not to look too closely, and there is still some margin using opt-out “standard contractual clauses” (SCCs) that have been allowed to remain valid, for now.
Where it gets interesting is the use of US-based companies for email and messaging. When an EU organisation uses US resources for receiving customer email or messages it is, by default, exporting personal information to a country that is now without adequate privacy protection. The problem: when there has been no prior contact, this happens without the prior permission of said EU customer.
US companies will not want to lose their EU business (and, one could argue, their surveillance ability of their EU customers for whatever monetising activity du jour) so it is likely that they will set up EU-based data centres if they haven’t already done so.
This brings us to the newer problematic kid on the block in terms of US law: the “Clarifying Lawful Overseas Use of Data” Act 2018, or CLOUD Act for short, which allows a US court to demand personal data held by a US company, anywhere in the world, sovereignty be damned.
A US provider who has set up EU operations to seek GDPR compliance can therefore still not be considered safe from a privacy perspective (let alone “adequate”) as this CLOUD Act considerably exacerbates the conflict between the EU and US federal view of privacy, good state efforts such as the California Consumer Privacy Act (CCPA) notwithstanding.
Smaller organisations without much in the way of IT knowledge and resources are at particularly risk and may be caught out by this. Using services such as Gmail or Microsoft Office 365 now requires a careful re-examination of their Terms & Conditions.
There could be costly consequences. ®
Peter Houppermans is a privacy and IT security expert.
* When it comes to adequacy agreements, for UK businesses, there will be concerns, as some have pointed out, around the fact that the UK_GDPR (which took effect this year but currently mirrors EU law) may quickly begin to diverge from standards established by the GDPR, which would stand in the way of any potential adequacy agreement with the European Commission.
Follow me for more information.