Recently there has been a lot of information about changes to Privacy Shield. To help you better understand this topic we have compiled answers to the following FAQ's.
What is Privacy Shield?
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
What has changed?
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.
What is Foleon doing?
Foleon is currently in compliance with the European Data Protection Board (the “EDPB”) guidelines but these are being reviewed in light of the CJEU’s ruling. The Dutch Privacy Authority (Autoriteit Persoonsgegevens (the “AP”)) has not issued guidance on the outcome of the Schrems II case yet. The AP has communicated that the EDPB is now looking into the practical consequences of the CJEU’s ruling and the possible next steps. According to the AP, the EDPB will publish additional measures in the short term, entailing clauses that can be used in (model)contracts. While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data is sent offer adequate protection is primarily the responsibility of the exporter and the importer when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of. The vast majority of Foleon’s sub-processors are within EU territory. After reviewing all sub-processors only 4 have been identified that transfer data to the US. Our initial focus is to add new frameworks / SCC’s when guidance has been provided by the EDPB. Finding alternatives for the 4 sub-processors based outside of the EU is difficult as the alternatives either don’t exist or provide a less complete solution Foleon’s current stance is to monitor updates from the EDPB and follow its updated guidelines once those are released. This would mean currently Foleon will take no actions to make structural changes until there’s clarity from the EDPB.
As a customer, these are your options?
- Continue as is under the current processes. (There is currently no guidance from the EDPB about what actions companies should take)
- Don't use US sub-processors
- Opt-out of all account level sub-processors
- Ensure your users are aware that they should not opt-in to user-level sub-processors
The US sub-processors, what process they do, and the implications are listed below:
Mandrill (by MailChimp)
Process: Notification on data capture from Foleon native forms.
Implications: No ability for customers to receive email notifications on Foleon native form submissions.
Process: Content delivery network for publication delivery. Implications: The possibility of slower loading times of readers outside the EU, specifically Latin America and Asia/Australia is where latency can be offset by a CDN. We are moving more and more processes towards AWS and their peer network for S3 is usually above average and even transatlantic transfers are <100 ms.
Process: Session recording to provide user support, improve UX, and pinpoint product improvements.
Implications: This service is activated via user opt-in. If the user doesn’t opt-in the service will not be used. Without session recording, Foleon has less product usage data to make product decisions.