The European Court of Justice Invalidated the EU to US Privacy shield Treaty

On July 16th, 2020 The European Court of Justice invalidated the EU to the US privacy shield treaty. On July 17th, 2020 The United States Department of Commerce responded by essentially stating they would continue to enforce it anyway. On July 20th, 2020 Promedim launched GDPR24, our good idea became the must-have digital privacy service of 2020.

Divorces are messy, they are REALLY messy when one side decides that their best course of action is to ignore that it’s happening. This type of unilateral action by both the EU and the US is exactly what the privacy shield treaty was intended to avoid. It is a damning indictment of the European bureaucracy that didn’t account for, what has become with a pen stroke, unacceptable (yet legal, in the US anyway) data surveillance practices of the United States. Equally the fact that the US Department of Commerce was almost certainly monitoring this case appears to have made no provision at all for the termination of it as an enforceable legal treaty in the EU.

What Happens to US Organizations that Have Certified to the Privacy Shield?

As of July 2020, there are over 5000 US organizations that have certified to the privacy shield. Given its voluntary nature, thousands more have been relying solely on contractual agreements. The invalidation of the data privacy treaty by the EU places an immediate civil and economic burden upon US companies who regularly transact the data of European citizens.

The European Court of Justice’s ruling, while dumping Privacy Shield simultaneously upheld that standard contractual clauses can continue to be used between organizations located in EU member states and that their data processors are in the United States.

However, an additional burden is now placed on the EU based entities to ensure that the third party countries, in this case, the United States, have adequate legal protections similar to those afforded to citizens of the European Union.

Given this was the intention of the Privacy Shield treaty, and that is now invalid, this ruling is effectively a contradiction in terms. US companies who are currently processing large amounts of EU citizens data can expect in the near term a flurry of contractual updates, but in some cases may require the segregation, isolation, and movement of EU citizens data to servers and data pools within the borders of the European Union, the cost and practicality of such requests remains to be seen.

It is clear that US organizations cannot legally commit to contractual language that would prevent the sharing of information when lawfully requested by US law enforcement organizations, inevitably the failure to respond to a subpoena or valid court order would place the US organization’s in legal jeopardy.

The Department of Commerce’s response is perhaps more to do with the current political climate in the United States than any other measure of practicality, the unilateral enforcement of an agreement, in which one party has declared it to be invalid, is a largely pointless endeavor. In the medium term and more likely heading into Q1 of 2021, a renegotiated agreement must be pursued, the globalization of the world economy and the entanglement of personal data across borders will necessitate such an agreement.

What Happens in the Meantime?

Until that time, and in preparation for it, the role of the Data Protection Officer (DPO) becomes absolutely critical. Many organizations have treated privacy as an afterthought, or an adjunct task to someone in a compliance-related role. Too often the role of privacy officer is titular in nature and appended to a member of an organization’s legal counsel, financial compliance, IT governance team, or quality and compliance group.

The reality of the collapse of the Privacy Shield brings with it the necessity to consider the addition of a qualified data protection officer to one’s team. The desire and practicality to obtain an individual with the appropriate qualifications are in many cases diametrically opposed. Additionally, DPO’s generally command high six-figure salaries and can be, but for the larger organizations, an unattainable resource.

This reality shines a light on the necessity for organizations to seek out and retain a contract DPO. Contract DPO’s effectively provide on-demand service for privacy questions and concerns, standard contractual language reviews, and an independent voice with regards to the wording of data processing agreements (DPA).

What are the Challenges?

Two of the fundamental challenges in obtaining a contract DPO is their relative scarcity as a resource and the challenge of holding them accountable and ensuring that their communication with data subjects or supervisory authorities is transparent, auditable, and immutable. In fact, if we borrow the data integrity definition from the health and life science sector, would anyone disagree that GDPR data must be accurate, legible, contemporaneous, original, and attributable?

It is here at the intersection of professional privacy services and data integrity that Promedim’ s new GDPR24 platform provides an invaluable and immediately timely service. The value of a contract DPO was not in question prior to the invalidation of Privacy Shield, it is now a necessity.

With the protection of 3rd party arbitration gone or at least in a highly dubious legal territory the protection that an on-demand DPO can provide cannot be understated.

Many of Promedim’s DPOs hold European law degrees, and all are minimally required to hold the ISACA Certified Data Solutions Privacy Engineer Certificate. Our DPOs are supported by our cloud-based immutable data subject query management SaaS platform. All data subject to DPO communications are fully auditable and completely un-editable.

Data subjects engage in a standard email conversation that is safely enclosed within our encrypted communication tool. This allows full transparency for the customer contracting the DPO and also offers a massive liability reduction in that data subjects cannot misrepresent any part of their communication with the contract DPO. Furthermore, our integrated privacy vault ensures that all privacy policies specific to the organization under contract are immediately available to the contract DPO, and understanding of the data subject can be assessed almost in real-time.

All data is stored within the boundaries of the European Union and within highly secure third-party certified data centers. In order to support our life science and clinical customers, the application has been validated to meet international GxP standards, including Good Clinical Practices, Good Manufacturing Practices, 21 CFR Part 11 (inclusive of audit trails and electronic signatures), the EU’s Annex 11, and the Chinese GxP’s. The GDPR24 platform itself has its foundations in Promedim’s industry-leading clinical platform which has boasted 100% uptime for the last five years. The platform itself was in use in over 20 countries globally in the past 12 months and is regarded as the benchmark for high compliance and medical monitoring oversight in the clinical trial space.

How Can We Help?

In addition to our contract DPO services, The GDPR24 professional services team can create, customize, and train your team in good privacy practice. Our privacy policies, and breach notification workflows, are proven and fully supportive of GDPR in the EU, HIPAA in the US, and California’s Consumer Protection Act (CCPA).

Our data privacy experts are ready to evaluate your current IT and data governance practices and create custom solutions that are scaled to your organization’s needs and risk profile, and our contract DPOs are ready to act in your organization’s best interest.

If you have any immediate questions about our platform, DPO services, and our professional privacy services, please reach out to us at [email protected]


GDPR Compliance Framework – Top 10 things to consider