BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Data Privacy Day: Here's What The EU's Schrems II Decision Means For US Companies

Forbes Technology Council

CEO and Co-Founder of one of the first enterprise data privacy management platforms, BigID, and a privacy and identity expert. 

In the wake of Data Privacy Day, American businesses are facing increasing regulatory pressure when it comes to protecting personal data. In November, California voters approved the California Privacy Rights Act (CPRA), which modifies and enhances the existing California Consumer Privacy Act (CCPA). CPRA creates a dedicated enforcement agency, it broadens the definition and responsibilities around "sensitive personal information," children's data and data retention policies, and it adds more consumer rights options.

Meanwhile, a ruling in a European court in the summer called "Schrems II" has created significant uncertainty and risk with regard to transatlantic data transfers and compliance with the EU's General Data Protection Regulation (GDPR), which applies to data that can uniquely identify EU citizens.

The European Data Protection Supervisor has said it could be "months" before any solution is hatched. Meanwhile, privacy advocates are seeking stopgap measures to ease data transfers or even a federal privacy law that would signal good-faith efforts to the EU during what could be a yearslong process, according to a Wall Street Journal report from mid-December. It remains to be seen what will happen under the Biden administration.

These new rules — which affect roughly 5,000 U.S. companies and their downstream supply chain customers — reinforce the need for companies controlling customer data to understand where the data lives and how it's being used. The CPRA is fairly straightforward, but Schrems II provides little clarity on what companies must do to be compliant. There's no easy fix, but there are some measures companies can take to minimize their risk.

EU's Anti-Surveillance Stance

In the "Schrems II" decision, the Court of the Justice of the European Union (CJEU) proclaimed that the EU-U.S. Privacy Shield framework — which American companies have relied on to enable compliance with GDPR — was invalid. The court said the framework did not adequately protect EU citizen data from potential U.S. law enforcement and intelligence agency surveillance.

It's unclear exactly what companies need to do to provide adequate protection for EU data under the ruling. The CJEU said companies can use standard contractual clauses (SCCs) as a primary means of safeguarding data transfer but only if data controllers can ensure appropriate measures are in place to protect EU data from U.S. government surveillance. Companies are left with the option of strengthening the SCCs and/or storing the EU data in the EU instead of the U.S. While large companies have resources to host data at European data centers, smaller businesses don't always have that choice. Legal guidance rests on case-by-case review, which provides little future insight.

The European Data Protection Board (EDPB) published guidance in November 2020 with measures that companies can take in addition to following the SCCs to ensure that a particular data transfer will be compliant with the EU level of personal data protection. They include mapping all intended international transfers, verifying the transfer tools to be used, assessing whether a law or practice in the destination country would "impinge on the effectiveness" of the safeguards being relied on for each specific transfer, adopting supplementary measures to bring the level of protection to "essential equivalent" with EU law and periodically reevaluating the level of data protection provided.

Know Your Data

Companies no longer can rely on the Privacy Shield to provide GDPR compliance with onward transfers. This means they must do more work to determine that all their data practices are compliant, which requires full visibility into what data has been collected — particularly, what type of data it is, whether it's considered personal data, where it's located, how and where it flows, and how it's used both within and outside the organization.

Once data has been discovered, it can then be classified (identified and grouped) so privacy, security and governance teams can make informed decisions about compliance, risk, sharing and access. Based on the type of data collected and the probability of a request from law enforcement or intelligence agencies, companies can assign an appropriate level of risk.

Find The Right Tech Partner

Companies should look to partner with technology providers that can help them meet the requirements of Schrems II and the EDPB's guidance. There are tools that can help companies understand what EU data they have and what they're doing with it, monitor and manage data in the event of a data leak or breach and automate workflows to bridge visibility and action.

Vet Subcontractors Well

Companies that transfer EU data to the U.S. are responsible for what happens to it — even if the company uses subcontractors, or processors, for storage or data processing. Companies must maintain visibility into the subcontractors' operations, understand their data protection and privacy practices and verify that they are GDPR compliant. If your data in their systems is found to be in violation, you'll face fines.

Unfortunately, the regulatory uncertainty for American companies is not likely to change soon. It's unclear whether the Biden administration will seek to make any changes to U.S. surveillance law to assure the safety of EU data or work to provide EU citizens with the right to seek individual redress. Absent that or a federal privacy law, the situation will likely be a headache for businesses for a long time to come and could negatively impact the $7.1 trillion transatlantic economic relationship.

While we must all wait for further guidance, companies should take steps now to analyze their data and safeguard it for compliance.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on Twitter or LinkedInCheck out my website