Operational adequacy: the new safeguards needed for EU data exports

EU Privacy Shield decision spurs multinationals’ action on standard contractual clauses

  • The Court of Justice of the European Union (CJEU) on July 16 struck down the EU-US Privacy Shield as a method of transferring personal data from the EU to the US. Its reasoning cast doubt on the future of all transfers of European Union (EU) personal data to jurisdictions outside the European Economic Area (EEA).
  • Companies around the world are asking: what “additional safeguards” do we need to implement to continue operating in Europe?
  • Affected companies should focus on demonstrating operational adequacy, taking technical measures to reduce the exposure of their data to the surveillance of any government.

All multinationals need to demonstrate that they can adequately protect the privacy of personal data when transferring them from the European Union to countries outside the EU and the EEA. The EU-US Privacy Shield framework is used by close to 5,400 US companies to do that.

But on July 16 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield because of concern over US government access to personal data for national security purposes, without redress options for EU persons.

The EU’s highest court also cast doubt on the long-term viability of every other mechanism—aside from Privacy Shield—that companies use to transfer EU personal data to their countries that are not considered adequate by the EU.

Hanging in the balance of multinationals' response to this landmark ruling is roughly $3 trillion in EU exports of goods and services to countries outside the EEA who need EU personal data to process these transactions.

Which companies are directly affected?

Companies relying on the EU-US Privacy Shield framework

The nearly 5,400 US companies using the Privacy Shield should immediately adopt a different data-transfer mechanism. The other mechanisms available to them are derogations enumerated in the GDPR, standard contracts between data exporters and importers, binding corporate rules, and industry codes of conduct. To date, the most popular choice across industry sectors has been standard contractual clauses (SCCs).

Multinationals using Privacy Shield-certified vendors

The CJEU’s ruling directs the 27 EU data protection authorities (DPAs) to suspend EU data transfers even where SCCs are in place, if the destination country’s laws and intelligence practices compromise the SCC commitments. As a result, multinationals should identify all vendors processing EU personal data anywhere in the world outside the EEA, confirm which data-transfer mechanism they are using and evaluate on a case-by-case basis if the vendors should adopt “additional safeguards” to remediate country-specific compromises. Multinationals whose vendor populations number in the hundreds and thousands could face a substantial data-transfer fire drill.

Business-to-business cloud providers and tech firms

US-based cloud providers may see greater scrutiny from enterprise clients as a result of the CJEU decision, even though they are already under substantial scrutiny from EU regulators. Companies in the tech sector, which are more likely to be subject to US government demands for personal data in the national security context, may face a fresh spate of inquiries from their EU enterprise customers.

If a company already encrypts EU personal data in transit, has it met the “additional safeguards” standard?

Probably not

The DPAs of the EU member states, in coordination with the European Data Protection Supervisor, are in the process of releasing guidance for companies to conform with the CJEU decision. But the divergence of opinions among even the state-level DPAs within Germany indicate that the harmonization process could take months. The CJEU decision places significant burdens and responsibilities on companies to consider such issues on a case-by-case basis with little guidance at this time. To date, there is no easy way for companies to check if their conclusions on this topic are consistent with those of the 27 EU DPAs.

A more comprehensive approach is needed

In any scenario, multinationals are likely to need an end-to-end approach to data protection across the lifecycle of their EU personal data that incorporates the “state of the art” IT security standards published in 2019 by the European Union Agency for Network and Information Security (ENISA). The PwC Data Trust framework can provide a robust approach and incorporates these ENISA standards.

Why are multinationals all around the world, not just in the United States, looking to implement “additional safeguards”?

Intelligence collection is globally ubiquitous

Every major country operates a law enforcement or national intelligence agency, many with authorities that do not provide sufficient transparency or judicial redress for EU persons as required by the CJEU.

No global privacy agreement

None of the other EU-approved mechanisms for commercially exporting EU personal data prevents government surveillance from occurring, even by the EU’s own intelligence agencies.

Global action is needed

As a result, all multinationals doing business with Europe face the risk of EU DPAs mandating the termination of their EU data exports—unless they take “additional safeguards.”

What should affected companies do?

The message from Brussels is clear: companies that have any kind of connection with the EU—enterprise clients, employees, or facilities—need an enterprise-wide approach to “additional safeguards” so that they can grow their European revenues during the global economic slowdown.

The focus of additional safeguards—what PwC calls “operational adequacy”—should be two-fold: (1) minimize, pseudonymize, tokenize, and encrypt EU personal data in transit and at rest; and (2) operate a robust and transparent mechanism to respond in a privacy-protective way to government requests for data.

Companies should take the following steps to prepare for operational adequacy:

1. Move from the EU-US Privacy Shield to alternative mechanisms.

If your company is using the EU-US Privacy Shield, convert to an alternative mechanism. Every company should identify EU data processors in its supply chain who rely solely on the Privacy Shield and secure commitments from them to adopt alternative mechanisms.

2. Conduct data-transfer impact assessments (DTIAs).

Inventory and map the instances where your company and its vendors are either exporters or importers of EU personal data relying on alternative data-transfer mechanisms. Assess their potential exposure to government interception and identify possible remediation options.

3. Enhance end-to-end data trust controls.

Design a cross-border data-transfer strategy that increases the value of EU personal data in a secure and ethical way. Adopt data-minimization, pseudonymization, tokenization, and encryption protocols for transfers of personal data outside the EEA in proportion to the potential risks identified in DTIAs.

4. Enhance a government data-request process.

Convert any ad-hoc processes for responding to court orders and other government requests for data into a formalized process with defined owners, legitimate refusal criteria and data-minimization steps. Train the executive leadership team and all IT personnel on the process.

5. Adopt a data subject-centric focus.

Keep in mind that the CJEU decision arose because of concerns about the rights of EU persons. As your company reassesses its ongoing GDPR compliance in light of these substantial developments, continue to prioritize data-subject rights as well as ethical and appropriate data use as part of everyday operations.

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Jocelyn Aqua

Jocelyn Aqua

Principal, Cybersecurity and Privacy, PwC US

Follow us