GDPR Data Mapping: A How-To Guide
If you don’t know where your business collects, stores, and processes...Read Now
The simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Don’t let data privacy compliance get in the way of growth
Preserve your competitive edge
Manage data privacy at scale
Expert insights on all things privacy
Subscribe and become a Privacy Insider
Research the most essential privacy topics
We'll scan your website for privacy risk at no cost
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
No fines, no penalties
Add Osano data privacy ratings and recommendations to your application
Fresh duds for data privacy fans
March 12, 2021
Anyone with a stake in data transfers out of the EU and into a different country has likely heard of Max Schrems. He's the Austrian lawyer behind the takedown of Privacy Shield. And while organizations are surely hoping for a quick solution to replace the now-defunct data-transfer mechanism, it's not looking good.
According to EU officials, this could take years, not months.
International data flows between the EU and the U.S. are crucial for many organizations' core business operations. That's the reason for the virtual "gasp" heard 'round the world when the EU decided to eliminate the data transfer agreement more than 5,000 companies used to facilitate cross-border movement.
In July 2020, the Court of Justice of the European Union decided in Data Protection Commission v. Facebook Ireland, Schrems, that it must invalidate the Privacy Shield agreement because of perceived shortcomings in U.S. policy. Namely, U.S. surveillance programs under Section 702 of the Foreign Intelligence Surveillance Act that allow for mass sweeps of individuals' data and "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to the United States."
In essence, the U.S. doesn't have a federal data privacy law. The EU boasts what's often called the "gold-star standard" of privacy law, the EU General Data Protection Regulation. The EU only allows data to cross borders to countries with frameworks "essentially equivalent" to the GDPR. And the U.S. doesn't meet that standard.
Also, the GDPR allows EU citizens a "redress" process if they feel intelligence agencies have unlawfully surveilled them. The U.S. has no such mechanism.
The Schrems II case triggered a panic that's rippled across the globe. The ruling signals trouble for the future of data transfers between the EU and the U.S. and transfers from any third-country that doesn't yet have a GDPR-like privacy law.
There are still existing data-transfer mechanisms to use absent Privacy Shield. Standard contractual clauses and binding corporate rules remain legit. But those mechanisms require individual agreements between affected parties and can be costly. Also, the Schrems II judgement did cast some doubt over the legality of standard contractual clauses, but we're awaiting an opinion from the European Data Protection Board before companies implement any major changes there. That leaves organizations hungry for a Privacy Shield replacement, a blanket agreement in which they can certify they're going to treat data according to the rules and then transfer all day long.
The problem is: It's not yet clear how the U.S. and EU will overcome the divide. Law enforcement agencies are vehement that they need access to the surveillance data, as allowed under Section 702, to fight terrorism and other crimes. And as long as that allowance exists under U.S. law, the EU will be dissatisfied.
The second hurdle is passing a federal privacy law in the U.S. While there's perhaps more momentum now than ever before given state action on privacy, there's no indication a law is imminent. Only one lawmaker has introduced a federal proposal so far this year.
For companies anxious for Privacy Shield's replacement, it doesn't look good. On March 9, the Wall Street Journal reported that negotiations could take "years rather than months, making it difficult for companies to continue cross-border business without violating privacy rules."
The report added that EU officials plan to start talks with U.S. Secretary of Commerce Gina Raimondo, responsible for securing a deal. The U.S. Senate confirmed her nomination to the post in early March.
For now, companies must ensure they're following data protection laws as closely as possible until the EU and U.S. reach a new deal. German data protection authorities, for example, have already indicated they'll be watching companies with data subjects in Germany closely.
If your company is relying on standard contractual clauses to get through the uncertainty, be sure to read the European Commission's draft on the future of that mechanism.
Writer at Osano
Writer at Osano
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano makes it easy. Ready to get serious about data privacy? Choose your plan and get started. All plans come with a 30-day FREE trial!