The long-term effects of striking down the U.S. Privacy Shield agreement by Schrems II, the European Court of Justice in Luxembourg, will take some time to become apparent. One immediately clear statement to US businesses holding personal information (PI) data on EU citizens was the lack of a grace period for GDPR (General Data Protection Regulation) compliance by the European Data Protection Board (EDPB). It enforces the intentions of the GDPR to ensure that all data on EU citizens when stored in countries with less stringent privacy regulations will now be scrutinized. Although no one wants commerce between countries to be interrupted, there will be many bumps ahead until faster, simpler ways to handle personal data are in the hands of the mass market.
The Privacy Shield Trans-Atlantic Data Transfer Pact, designed by the U.S. Chamber of Commerce, the European Commission and Swiss Administration, had been under heavy scrutiny from its inception. When a compliance framework protecting a few thousand U.S. businesses is based entirely on self-certification, its prospects for success are not high.
Now that Privacy Shield has been knocked down, U.S. businesses need an alternative channel to prove that its storage of personal data on E.U. citizens is protected even if it is processed across the Atlantic.
There are still some transfer tools that are permitted, although neither are easy to follow, the Standard Contractual Clauses (SCC) and Binding Corporate Rules (BDR). Use of either one comes with many conditions, including performing an assessment of an organization’s data, taking into account the circumstances of the transfers, and certain supplementary measures that ensure that U.S. law does not impinge on the adequate level of protection guaranteed by EU data protection. For further investigation, read the FAQs on the Judgement of the Court of Justice of the European Union in Case C-311/18 “Data Protection Commission v Facebook Ireland Ltd and Maximillian Schrems.
There are far-reaching implications even for US government agencies by the E.U. court striking down the Privacy Shield. Will federal agencies like the SBA (Small Business Administration) assist thousands of its aid recipients previously covered by Privacy Shield, and now must change how they handle the personal information (PI) for its EU customers? Will the Census Bureau in the next Census be required to change how they manage its PI on EU citizens who are counted in the census figures? Has the subject been raised and explored? Some organizations may believe that by encrypting EU citizen PI data in jurisdictions outside the EU are safe. However, the subject remains uncertain and controversial for several reasons among them that any government audit or injunction would expose this PI data no matter how well it was safeguarded.
One aspect in all these legal proceedings is clear – the dire need for fast, simple and accurate data discovery, data mapping, and compliance assurance of personal information (PI). MinerEye has the capability to automate all these processes.
And U.S. companies need to act immediately and not wait until the legal dust settles. This is a clear-cut directive for a different approach to handling PI for both privacy and business concerns. Even if American and European officials will now try to negotiate a new deal for transferring digital information, the need for fast and simple data discovery, mapping and privacy compliance is not negotiable.