Data Privacy Buy-In: The Usual Suspects and What to Say to Them
Getting the business to say “yes” to data privacy isn’t easy. Yet it...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: June 8, 2023
Published: August 28, 2020
If you've been following the news, you're probably aware that the European Union Court of Justice invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). Essentially, the court ruled that the Privacy Shield isn't a sufficient mechanism to transmit personal information into and out of the European Union.
The court decision's impact is far-reaching, even if you don't reside in the European Economic Area. It applies to any organization that collects personal information from EU residents. Thus it had the potential to dramatically change the way we transfer data between Europe and the United States. Does your business have a website? Chances are Europeans visit it, so this applies to you as well.
We've received numerous questions about impact and to what degree. Many businesses are nervous about this decision. We get it. We wouldn’t want EU regulators knocking on our door, either. If you use Osano, you have no reason to be concerned about the Schrems II decision. No EU resident’s personal data ever leaves the EU.
Before we dive into how Osano keeps you compliant with the General Data Protection Regulation, let's explain the Privacy Shield and why it was necessary.
The GDPR sets standards for collecting, processing and transferring data in the European Union. But since regions like the United States (and others) don't have similar data privacy laws, and many cross-border data transfer mechanisms can be expensive and timely, there had to be a mechanism to control data transferred in or out of the EU. The EU wanted to ensure its residents' data wasn't merely moved outside its borders and abused elsewhere.
Privacy Shield is a framework for transferring data between the United States and the European Economic Area. Before its invalidation, organizations could provide "adequate" protection of personal data as required by the GDPR by abiding by Privacy Shield's seven principles and self-certifying with the U.S. Department of Commerce.
The European Union Court of Justice's decision invalidated the EU-US Privacy Shield. If you or any of your vendors were relying on the Privacy Shield mechanism to transfer personal information to or from the EU, you must stop those operations, or find a different GDPR-approved mechanism.
Standard Contractual Clauses (SCCs), however, are still valid in most countries, so you'll want to check if you have SCCs in place with your vendors. If you're transferring data within a corporate family, you can still use GDPR-approved binding corporate rules (BCRs), although certain EU countries have voiced opposition to the reliance on BCRs as well. Of course, you can also collect explicit consent from data subjects for each transfer or transfer scheduled by a contract.
As an Osano customer, you probably want to know what this all means for you in the context of our platform. If you use Osano, are you still compliant with the GDPR even though Privacy Shield is no longer a valid mechanism to transfer data?
In short, yes. The invalidation of Privacy Shield does not affect data that is collected, processed, or transferred using Osano. Even though Osano is Privacy Shield certified and we fully expect that the EU and U.S. authorities will eventually reach a new agreement, our data privacy platform remains compliant with the GDPR regardless.
Osano uses a regionalization system to avoid transferring personal data in ways that could cause you to become non-compliant with the GDPR. For example, if a user in Germany requests any file or accesses any API from our servers, we deliver it via a German server to that person. The data remains localized to that region. No transfer means no cross-border transfer compliance issues.
All of the non-regional systems that touch personal data are located in the European Union: Ireland, to be specific. That personal data never leaves the EU, even if it represents a user in the U.S., China, Germany or anywhere else. This Irish data center has specific systems and processes to comply with the GDPR. Again, no transfer means no cross-border transfer compliance issues.
Osano is private by design, so rather than work around data transfer mechanisms (like Privacy Shield and whatever follows it), it's simpler and safer to isolate personal information in the EU so that not even an IP address ever crosses from the EEA into another region. We simply avoid transferring the data in the first place.
As a privacy company, we know security and compliance are paramount. We have thousands of EU users who use our process and practices to stay compliant every day, and that's why we ensure our own compliance with emerging data privacy laws.
If you have any questions about the Privacy Shield decision and how it affects your compliance with EU law, our support team is here to help.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.