Anapaya blog

The EU-US Privacy Shield Is No More

Olivier Moll
Posted by Olivier Moll on 14 September, 2020
The EU-US Privacy Shield

Businesses that are inadvertently sending data through the US networks may face severe fines - thankfully, there is another way.

In July, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield framework, a mechanism that thousands of companies used to legally transfer data between the EU and US under EU data protection rules. As with prior rulings, the foundation of the decision is that US government surveillance for national security purposes jeopardises the security of EU citizens' data.

This blog post will outline what the new legal decision means for companies, who is affected and what they can do about it.

What the Ruling Means

This court ruling has changed the way businesses send data to and from the EU, potentially facing severe fines if they are in contravention of EU data privacy laws. Without the EU-US Privacy Shield, there is "an obligation on a data exporter and the recipient of the data to verify, before any transfer, whether that level of protection is respected in the third country concerned." If any businesses transfer data from the EU through a US-ISP, they could be found guilty of an offence.

The ramifications of this imply that many data flows out of the EU may now be classified as illegal. Companies are now scrambling to find alternate ways to move data. However, there is an option available for these companies to avoid such offences.

The Affected Countries

The ruling itself is focused more on US companies. However, it affects any companies that transmit data from or through a country with surveillance laws that do not satisfy EU requirements regarding citizen recourse. 

Here are a few of the following countries that could potentially be affected based on this requirement:

  • Canada 
  • United Kingdom - post-Brexit
  • China 
  • Russia
  • The Middle East Region
  • Korea
  • Thailand
  • Ethiopia
  • Egypt

What Exceptions Are Available

Businesses who want to transfer or transport data outside of the EU and through US ISPs will find it challenging to do this legally without the EU-US Privacy Shield. There now remains very few straightforward legal mechanisms to assist with this objective.

Standard Contractual Clauses (SCCs) - these clauses can be used to prove to the EU data protection authorities that the countries where data travels can provide adequate privacy protection, proportionality and citizen redress. However, Data exporters, importers and EU authorities will now have an even greater obligation to review and ensure that SCCs are honoured. To this effect, EU regulators have declared that if companies have any question, they should immediately suspend data travel activities and consult their supervisory authority.

Binding Corporate Rules (BCRs) - these policies are only awarded to companies who are directly approved by EU data protection authorities on a case-by-case basis. Very few businesses have BCR privileges because they require expensive, long-term creation and approval processes.

It should be noted that all of these mechanisms are under scrutiny and being called into question, so their validity may not last into the future.

The Third Option - Controlling Your Data

There exists a third option that completely negates the effect of the EU-US privacy shield ruling. 

If companies do not transmit data through US ISPs or other ISPs that do not satisfy the EU data privacy requirements, they will not be in contravention of EU privacy laws.

The EU data privacy laws allow for data to travel through countries which currently qualify as having adequate levels of data protection under EU standards. These countries so far include:

  • Andorra
  • Argentina
  • Specific commercial organisations in Canada
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay 

However, to achieve this, companies will have to control where their data travels on its way to its final destination. Without this control, their data will simply select the fastest, most efficient route to its final destination. This may include ISPs in countries such as Russia or China, which have a history of cyber-criminal activities and do not satisfy the EU data privacy laws.

The Anapaya Solution

Anapaya's CONNECT network gives businesses unprecedented control and management over where their data travels. Through the Anapaya next-generation internet, businesses gain end-end path control enabling them to avoid certain jurisdictions, demographic areas and ISPs.

Anapaya's solutions also offer geofencing capabilities. Geofencing ensures that data doesn't leave certain countries or pass through untrusted providers. This means that Anapaya clients can use geofencing for their business communication - a feature no other SD-WAN solution offers.

In terms of new EU-US Privacy Shield ruling, businesses now have a third, better option with Anapaya. They can altogether avoid locations the EU has deemed unfit for data-privacy while finding the most optimised data-route through countries considered as adequate under EU standards.

Next-Generation Internet, Today

Anapaya's solutions give the control back to the data’s owner. It is a secure, reliable and elegant solution ready to be deployed for any business that cares about its data. After the fall of the EU-US Privacy Shield, it may yet be the best solution available for organisations who want to send or transmit data to or through the EU.

If you would like to find out more about Anapaya, Anapaya's next-generation internet, or how best to control and protect your data, visit Anapaya's official website. For more information on how Anapay works for ISPs or enterprises, check out Anapaya CONNECT and Anapaya EDGE for more detail.