Privacy Shield is a Framework used for regulating the exchange of personal data between the E.U and the U.S. So, if you are a UK based business using U.S based email marketing software such as Mailchimp for example, then you are exporting your contact’s private data overseas. In this case, your lists of email addresses are considered private data.
In this scenario, Privacy Shield is designed to provide a framework with the U.S to protect the privacy of your email addresses, when using U.S based software.
In the U.K (and E.U), we have GDPR (General Data Protection Regulation), this is the law which is in place to regulate the collection, usage and storage of personal data (such as email addresses). This law does not apply to U.S companies though, as it is only for UK and EU businesses. This is why Privacy Shield exists, up until recently it provided a recognised framework by the EU for the protection of EU company sand citizen’s private data.
This means that if you are using U.S based email marketing software, such as Mailchimp for example, then Privacy Shield is designed to protect the privacy of your email lists – which by using Mailchimp, your data leaves the protection of GDPR.
This arrangement has worked fine since 2016 (when the previous agreement ‘Safe Harbour’ collapsed). In July 2020 this had changed though. The E.U/UK does now not recognise that Privacy Shield offers adequate protection for E.U/UK based businesses and citizens when transferring private data to the U.S.
Why has Privacy Shield collapsed?
On 23rd July 2020, the Court of Justice of the European Union ruled that they no longer regarded that Privacy Shield offered a suitable level of protection for EU/UK businesses exporting data to the U.S (such as using U.S based email marketing software).
Their area for concern was based on two main points:
- “The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred”
The CJEU ruled that whilst the U.S government retained the right to be able to gain access to E.U citizens data, that this then seriously compromised the rights of E.U citizens (and businesses) transferring data to the U.S.
- “The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.”
They also felt that U.S domestic law did not offer an acceptable level of privacy protection.
What this means is that the EU did not feel the U.S were able to offer enough guarantees that US legislative and intelligence bodies would not snoop on the data of EU citizens transferring data to the U.S.
The court also found that the Privacy Shield ombudsman set up to offer legal recourse in the U.S if a complaint is raised did not offer an adequate amount of legal protection to E.U citizens. They also felt that the ombudsman’s independence was questionable at best.
What does this mean for E.U/U.K transferring private data to the U.S?
In the UK and E.U, if you possess your contact’s private information, such as email addresses, then you are required under GDPR you are required to collect, store and process this information in a compliant manner.
The E.U were happy that the Privacy Shield framework offered an agreement with the U.S to reflect the same high standards as required by GDPR. After the July court case, the EU has ruled that they do not agree that Privacy Shield offers the required standards of safety and security, this means that E.U businesses can no longer transfer data to the U.S – as the standards required by GDPR are not in place.
With the current absence of a structured formal agreemement, the EU have agreed that if the U.S company that you are dealing with can provide a Standard Contractual Clause (SCC), then this could suffice in the interim period. GDPR does state that if you are exporting your client’s private data outside of the protection of U law, then you will need to seek the consent of your contacts prior to doing so.
Lots of U.S data service providers get around this by burying in their small print, that by using their service, you are aware that you are leaving the protection of GDPR and current no legal protection exists in order to govern the safe collection, storage and processing of your private data.
In terms of exporting data to the U.S, with no legal protection in place, it’s a very uncertain time. With the insistence of the U.S government that all data imported into the country can be subject to access by any body that they require, it’s unlikely that a framework will be agreed any time soon. The previous two agreements have both collapsed for the same reasons.