Privacy Shield abandonment shows businesses need to up their data protection
Thu 1 Oct 2020 | Evan Rutchik
Privacy Shield’s invalidation shows data practices are under greater scrutiny than ever before. If they’re not already, sensible businesses should err on the side of caution, writes Evan Rutchik, CRO at Ogury
On 16th July, Privacy Shield was rendered invalid by the European Court of Justice (ECJ) in a move that created shockwaves for the adtech industry. Cleary, this is a big gesture from the EU showing that it will protect the personal data of citizens – the decision didn’t provide a grace period, so organisations must adopt replacement measures immediately.
A new “enhanced” Privacy Shield framework will be discussed by the U.S. Department of Commerce and the European Commission to resume EU/US data sharing. In the meantime, this has cast a spotlight on data privacy, yet again, and how important data has become to international commerce. Businesses should prepare for legislative changes such as these by putting traceable and trusted consent at the heart of data sharing practices.
Any port in a storm
The absence of Privacy Shield means that continuing to share data on European citizens with the US without the right assurances in place can put companies at huge financial risk. The price to pay for GDPR non-compliance can be €20 million or 4% of revenue, whatever the larger figure is, not to mention potentially long-lasting reputational damage.
This isn’t the first time that global companies have been thrown into turmoil, back in 2015, Safe Harbour was abolished by the ECJ in response to the revelations of whistleblower, Edward Snowden detailing mass surveillance of EU citizens by the US government. The abolishment of Safe Harbour meant US companies were no longer able to self-certify that they would protect EU citizens’ data. This showed how the ECJ will not hesitate to act in order to protect its citizens’ data from the risk of international surveillance.
Following Safe Harbour’s abandonment, the Privacy Shield regulation quickly followed as a replacement to ensure the free flow of information of EU citizens to the US for legitimate business means. While Privacy Shield shared the same principles as Safe Harbour, it focused more on individual rights for EU citizens, restrictions for US businesses and minimised the US governments’ access to personal data.
Now that Privacy Shield itself has been abolished as the ECJ ruled it failed to protect EU citizens in accordance with EU laws, businesses are once again realising how quickly data policies can change and why having a clear understanding of the data they collect, store and use is essential. Doing the bare minimum is no longer acceptable if businesses are to navigate the constantly shifting regulatory landscape. Organisations now need to protect themselves against this and any further changes by raising the bar of their data sharing practices.
The shifting regulatory landscape
GDPR has just turned two years old but in that time it has created significant changes to the ways people share and collect data. Data laws now mandate that organisations need to be able to demonstrate they are obtaining data for legitimate use, they have explicit consent for this use and that the owners of data are able to revoke their consent at any given time. This has prompted organisations in Europe to abandon opaque data sharing policies and become more transparent with consumers, which is a welcome change.
We were one of the first organisations to get ahead of GDPR and implement these principles across our entire global business. Acting early has stood us in good stead to face the shifting landscape of global data regulation currently underway. Now other countries are adopting their own versions of more stringent data regulation in response to GDPR, such as California’s CCPA in the US, and Brazil’s LGPD regulation. This is prompting organisations around the world to reconsider their approach to collecting and using data.
Some companies are now realising they can’t tell their consented data from non-consented data, or whether this has been obtained from a US user or a European user. Without this understanding and record of trusted and traceable consent, organisations aren’t able to meet data protection requirements, since they have no knowledge of whether this data has been obtained in accordance with European or Californian law.
Data that hasn’t been consented to be used is defined as ‘toxic data’ because it creates increased risk to the business. This risk could include penalties over data misuse, but could also include the harder to measure damage caused to user trust. Organisations need to remove the risk of toxic data by putting policies in place to ensure any future data sharing adheres to the new rules, whatever they may be.
A tide raises all boats
Until the legal framework is revealed we will not know the outcome, but companies affected by the demise of the EU/US Privacy Shield can avoid a lot of the complexity and confusion by partnering with tech firms which are well-versed on this topic and already comply with the highest standards of data protection. These companies have put automated processes in place that are completely transparent about the type of data being collected and its intended use. They request permission from users to share certain data, providing clear and specific information about the purpose of data collection, how long the data will be stored, as well as the option to easily opt out at any point.
Clearly, Privacy Shield shows that data practices are under greater scrutiny than ever before. However, by putting consented data first, businesses can insure themselves against future change and drive closer relationships with consumers. This doesn’t just protect businesses against current risk, but also forges greater trust with consumers over the long term.