Last July, the Privacy Shield, which had been so useful for companies doing business on both sides of the Atlantic, became ineffective. It took us all by surprise, since it was quite a new program (only 4 years old) building the framework for exchange of information and data between the United States (US) and the European Union (EU) and it had eased a lot the business between the two markets.
“In its decision of 7/16/2020 – C-311/18 “Schrems II” (in particular sections 138 to 145), the European Court of Justice (ECJ) declared the so-called Privacy Shield to be ineffective. The court justified this in particular by stating that the level of data protection in the USA does not meet the requirements of European data protection because US authorities (and above all secret services) are allowed to access personal data of EU citizens without EU citizens having the right of appeal.”
The Privacy Shield was adopted in 2016 – replacing the previous “Safe Harbor” which managed to stay live for 15 years – and the aim was to protect all EU members whose data was transferred to the US for commercial purposes. It made the transfer of data free of charge for the US companies certified under the Privacy Shield.
- EU Court of Justice official press release on the Schrems II ruling
- EDPB FAQ on the Schrems II Privacy Shield case
- Recommendations for how to transfer data outside of the EU
So, what led to this? Can FISA 702 be the reason?
As also mentioned above, the justification for this decision was that the US authorities and even secret services have the right to access EU citizens’ data without the right of the latter to object this or the right to appeal. Well, that does sound like a huge violation of the General Data Protection Regulation (GDPR) that the EU has implemented since 2018 to be honest. Is that true though?
Well, to be fair, it can be true. Although it’s not breaking news to anybody, there are certain mechanisms that allow US organisations and institutions to collect, keep and use citizens’ data for investigation reasons. The biggest example is the Section 702 of Foreign Intelligence Surveillance Act (FISA), which basically clearly permits the US government to do just that. The government can conduct targeted surveillance of non-US persons (that can both mean non-US businesses and non-US citizens) that are also located outside the US. The justification for such action is simple: the targeted persons might be a potential danger for the country, they can be terrorists, proliferators, and spies.
And what happens now?
Reading this and thinking about it a little bit, makes sense why the EU felt the need to revoke the Privacy Shield. But this isn’t the end of the world for businesses trying to collaborate with the other part of the Atlantic. How is that? Just because we still have the Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries.
And now you may ask what are the SCC? Basically, these clauses include obligations on both the data exporter and the data importer while also include rights for the persons whose personal data is transferred. This means the data is considered to be safe, because there is a legal basis recognised by the European Commission that regulates this transfer.
It follows that for the time being, the SCC are a sufficient and safe basis to rely on to transfer data internationally – from the EU to non-EU or out of the European Economic Area (EEA) countries. However, the SCCs must be enforced by adequate technical and organisational measures protecting against access by or on behalf of authorities.
Configcat and our Data Governance
Where does Configcat stand in this situation now that the Privacy Shield is cancelled? Has this been a big challenge? Well, not really. Because in Configcat, things are much simpler and less tricky. Why? Because you, as a customer trusting us with your data, can choose where you want your data to be stored. In or outside the EU. And this is possible just because we have several data centers in different locations in and outside the EU. To be more precise, 3 data regions with multiple data center locations:
- EU: Frankfurt, Amsterdam
- America: New York City, Newark, Fremont, San Francisco
- Asia & Oceania: Singapore, Sydney
So, you can decide and set on your own by setting your preferences on the user dashboard where you want your data to be stored – in EU only or globally (including EU). This ensures that your data will never leave the EU, meaning it’s safe and GDPR protected. And that the Privacy Shield cancellation doesn’t really affect us and you.
How to do set your preferences? Simply follow the steps as described in our guide for data governance and peace of mind is guaranteed!Guide for ConfigCat data governance