All multinationals need to demonstrate that they can adequately protect the privacy of personal data when transferring them from the European Union to countries outside the EU and the EEA. The EU-US Privacy Shield framework is used by close to 5,400 US companies to do that.
But on July 16 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield because of concern over US government access to personal data for national security purposes, without redress options for EU persons.
The EU’s highest court also cast doubt on the long-term viability of every other mechanism—aside from Privacy Shield—that companies use to transfer EU personal data to their countries that are not considered adequate by the EU.
Hanging in the balance of multinationals' response to this landmark ruling is roughly $3 trillion in EU exports of goods and services to countries outside the EEA who need EU personal data to process these transactions.
The DPAs of the EU member states, in coordination with the European Data Protection Supervisor, are in the process of releasing guidance for companies to conform with the CJEU decision. But the divergence of opinions among even the state-level DPAs within Germany indicate that the harmonization process could take months. The CJEU decision places significant burdens and responsibilities on companies to consider such issues on a case-by-case basis with little guidance at this time. To date, there is no easy way for companies to check if their conclusions on this topic are consistent with those of the 27 EU DPAs.
In any scenario, multinationals are likely to need an end-to-end approach to data protection across the lifecycle of their EU personal data that incorporates the “state of the art” IT security standards published in 2019 by the European Union Agency for Network and Information Security (ENISA). The PwC Data Trust framework can provide a robust approach and incorporates these ENISA standards.
Every major country operates a law enforcement or national intelligence agency, many with authorities that do not provide sufficient transparency or judicial redress for EU persons as required by the CJEU.
None of the other EU-approved mechanisms for commercially exporting EU personal data prevents government surveillance from occurring, even by the EU’s own intelligence agencies.
As a result, all multinationals doing business with Europe face the risk of EU DPAs mandating the termination of their EU data exports—unless they take “additional safeguards.”
The message from Brussels is clear: companies that have any kind of connection with the EU—enterprise clients, employees, or facilities—need an enterprise-wide approach to “additional safeguards” so that they can grow their European revenues during the global economic slowdown.
The focus of additional safeguards—what PwC calls “operational adequacy”—should be two-fold: (1) minimize, pseudonymize, tokenize, and encrypt EU personal data in transit and at rest; and (2) operate a robust and transparent mechanism to respond in a privacy-protective way to government requests for data.
Companies should take the following steps to prepare for operational adequacy:
If your company is using the EU-US Privacy Shield, convert to an alternative mechanism. Every company should identify EU data processors in its supply chain who rely solely on the Privacy Shield and secure commitments from them to adopt alternative mechanisms.
Inventory and map the instances where your company and its vendors are either exporters or importers of EU personal data relying on alternative data-transfer mechanisms. Assess their potential exposure to government interception and identify possible remediation options.
Design a cross-border data-transfer strategy that increases the value of EU personal data in a secure and ethical way. Adopt data-minimization, pseudonymization, tokenization, and encryption protocols for transfers of personal data outside the EEA in proportion to the potential risks identified in DTIAs.
Convert any ad-hoc processes for responding to court orders and other government requests for data into a formalized process with defined owners, legitimate refusal criteria and data-minimization steps. Train the executive leadership team and all IT personnel on the process.
Keep in mind that the CJEU decision arose because of concerns about the rights of EU persons. As your company reassesses its ongoing GDPR compliance in light of these substantial developments, continue to prioritize data-subject rights as well as ethical and appropriate data use as part of everyday operations.