There are two things businesses everywhere like: certainty and harmonization. The Schrems II ruling in the Court of Justice of the European Union (CJEU) strikes a blow on both of these counts with respect to the vast (and hugely valuable) transfer of user data from the EU to the United States.
There are two things businesses everywhere like: certainty and harmonization. The Schrems II ruling in the Court of Justice of the European Union (CJEU) strikes a blow on both of these counts with respect to the vast (and hugely valuable) transfer of user data from the EU to the United States.
By ruling that one of the two main legal protections for user data transferred to the US – the so called “Privacy Shield” – doesn’t sufficiently guarantee respect for fundamental data rights, the CJEU’s decision poses a clear and immediate threat to businesses that rely on Privacy Shield to facilitate data flows.
That’s 5,378, including some of the biggest tech companies in the world.
It’s notable that while Privacy Shield has been invalidated, the use of Controller-Processor Standard Contractual Clauses (SCCs) for data transfer was upheld, albeit with new guidance on how those could be invalidated – essentially, if privacy rights couldn’t be guaranteed in the countries receiving EU user data, SCCs’ validity can also be questioned.
I don’t wish to play the policy prediction game in response to this ruling; I’d only suggest that for some of the world’s biggest and most powerful enterprises, a lack of legal basis for moving data from Europe to the US is simply untenable.
There may be other potential mechanisms that can fill in for data transfer, like GDPR’s Article 49, but this was built for exceptional or unusual instances rather than consistent ongoing transfer of huge data quantities through a transatlantic pipeline.
Something will have to give.
The ruling suggests that – since EU privacy rights aren’t protected in the US, per CJEU – even the use of SCC’s for transferring data from Europe to the US may not be adequate. I can’t predict what the next move will be but I agree with Simon McGarr, that “this is a massive strengthening of the EU’s regulatory power in order to enforce its human rights-based vision of data processing.”
But for myself and the team at Ethyca, the result is…well it’s not irrelevant by any means, but to focus on specific operational consequences on day Schrems II +1 somewhat misses the point. We already know that over the next 10 years, the global privacy landscape will evolve rapidly.
GDPR wasn’t the end, it was only the start.
Businesses must accept and plan for an unstable, unharmonized global privacy regulatory environment. As Twilio’s Robin Andruss said on a recent Ethyca panel, playing “whack-a-mole” with regulation as region-specific issues crop up will only result in an inefficient, time-consuming, and hugely frustrating privacy operation during this period of rapid evolution.
Put differently, if data privacy compliance for your business relies on hard-baked processes, excel spreadsheets, emails, and humans, the manual effort and technical data debt that will inevitably occur in the next decade will be hugely costly. Possibly even fatal. The only way to viably ride this roller-coaster is to implement agile, modern tech-driven solutions to dataflows in your business. That applies to each phase of the data lifecycle and each facet of privacy rights management.
I don’t mean to suggest that a company using state-of-the-art privacy tech would be unaffected by the Schrems II decision. If your business relies on the EU/US data pipeline, it’s going to cause disruption no matter what. But if you already understand, at the touch of a button, all the data your business holds, where it lives, the region-specific regulations that apply, and the entitlements systems currently in place, it’s a disruption that may be manageable in days.
But if you’ve now got to put a team to work to understand all those same things…it could be a messy few years. And if you can’t adjust data governance on the fly, the future will only get messier.
– CK
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Request a Demo