The EU-US Privacy shield, a framework designed by the U.S. Department of Commerce, and the European commission, has been struck down by the European Court of Justice (ECJ).
The framework, approved by the EU in 2016, has been at the centre of several international discussions for the last few years. The program allowed companies to sign up and certify that their data protection practices were in line with EU law.
With the introduction of GDPR, the EU-US privacy shield acted as strong evidence that a company was holding data in a compliant manner, allowing organisations to justify using American firms, and sending data out of the EU to be processed.
However, European data protection law states that data should only be transferred out of the EU if there are appropriate safeguards in place. Due to differing laws on national security and law enforcement, the ECJ have now deemed that US domestic law does not provide appropriate safeguards for personal data, and that “Surveillance programs … [are] not limited to what is strictly necessary”
Therefore, the agreement between the European Union and the USA, has been struck down.
What does this mean?
In practical terms, this ruling could have a substantial impact on education settings. Most schools and colleges use various apps and games to facilitate learning, and many institutions will be using external software to manage HR and finance. Some of the apps and software used will be capturing personal data, hosted on servers within the US.
Previously, if a school or college wished to use a company hosting data outside of the EU. They could check whether the company was signed up to the Privacy Shield. The Shield provided organisations sufficient comfort that their data would be handled in a compliant manner. With that safeguard gone, it will be harder to prove that using a data processor from outside the EU is an appropriate action.
This is likely to affect a proportion, but not all, of your organisation’s suppliers. A list of companies signed onto the scheme can be found here, but here are a few examples used in the Education setting:
Mailchimp: The automated email company stores all data on servers in the US, including recipient and sender details.
Consilio: A firm supplying legal services and software, Consilio provides hosting, processing and analysis on data, and is hosted on servers in the US.
Egress: Egress provides secure email and file transfer for many organisations, including the NHS and many councils. However, Egress does have servers within the UK.
It’s worth noting that in some cases a supplier may have their main services based in the EU, but sub-processors or performance management functions are based in the US. Zoom is an example of this, but you can relax. They use Standard Contractual Clauses (SCCs) and not the Privacy Shield.
However, the access the US Government has to data hosted within the country is not prevented by the Standard Clauses, and the individual who brought this case to the ECJ has now taken aim at SSCs, so watch this space.
A review of your suppliers is now in order and you may have to make difficult decisions.