Top EU Court Invalidates EU-US Privacy Shield
7/22/2020
In a landmark ruling that can have far-reaching effects for data privacy compliance, the Court of Justice of the European Union (CJEU) has invalidated the EU-US Privacy Shield, which allows the legal transfer of personal data between the EU and the U.S.
The Privacy Shield data transfer framework is currently used by 5,300 companies in the U.S.
The CJEU found that U.S. law and surveillance activities go against European citizens’ rights to privacy and data protection, as set out by various regulations including the EU Charter of Fundamental Rights, the European Convention on Human Rights, and the GDPR. Read the official press release here.
The case is underpinned by a criminal complaint by Max Schrems against Facebook Ireland. The case, which was originally dismissed, was later filed with the CJEU where Schrems successfully argued that the privacy law did not adequately protect his personal data.
Implications for business
The implication could include ongoing data transfers between EU and the U.S. resulting in fines due to non-compliance with the GDPR.
Standard Contractual Clauses (SCCs) remain valid provided adequate protections are in place in the country to which EU data is transferred. Necessary data flows can still continue, such as email correspondence, travel bookings, eCommerce, and data necessary to fulfill a contract.
According to the GDPR, an adequate level of protection must be in place to safeguard personal data before data can be exported. As Google recently discovered, non-compliance can have costly implications.
Microsoft was quick to respond to the ruling and assured users that Microsoft services are compliant with European law and that data can still be transferred between the EU and U.S. using the Microsoft cloud. Businesses still, however, need to be vigilant about their data transfer activities and ensure all due diligence is followed.
It is crucial now for privacy and risk officers to take the necessary precautions needed to protect sensitive data and comply with GDPR regulations. Organizations will need to relook at their data transfer flows, privacy policies, and risk frameworks to better understand the impact of the ruling. Most importantly, businesses will need to look for new ways to transfer data that offers better protection.
Data Masking can shield sensitive data
Data Masking (or in the GDPR definition framework, anonymization) is a key requirement in complying with industry standards and regulations such as the GDPR. Hush-Hush Data Masking allows businesses to be fully compliant with little effort. HushHush masking algorithms generalize data easily and satisfy the k-anonymity requirements of the GDPR, both on-premises and in the cloud.
Data masking is the method of masking sensitive data in order to control the flow of data inside and outside a business. The process involves substituting real values with realistic, non-identifying values that ensure no sensitive data can be used for reporting, partner exchange, and outside production.
Request your free demo of Hush-Hush Data Masking tools here.