EU Courts Strike Down Data Privacy Shield Leaving U.S. Companies Vulnerable

GDPR image

Businesses will need to find new ways of transferring data from the European Economic Area (EEA) to the United States after European courts struck down the EU-U.S. Data Privacy Shield program.

The rulings sets new hurdles for companies trying to operate across borders, especially as data and information are increasingly important to business operations. Business leaders will have to examine their data transfer practices to ensure compliance.

The Data Privacy Shield program, previously used by companies to transfer data from the EU to the U.S., was struck down over security concerns on July 16, leaving many companies that operate in the EU liable for potential violations of EU data privacy laws. Violators of transfer laws may face fines of up to 20 million Euro ($25 million) or up to 4 percent of the worldwide annual revenue of the preceding financial year. In addition, EEA data subjects can bring up lawsuits regarding an illegal transfer.

The program, established nearly four years ago, was meant to protect EEA data at the same level as EU laws do after transfer into the United States. The courts invalidated the program on the grounds that U.S. surveillance laws prevented the same level of data security as the program was meant to guarantee. Lawyers say that the ruling is also applicable to other countries, especially those with harsh local surveillance laws.

More than 5,000 companies, 70 percent of which are small- and medium-sized companies, use the Privacy Shield program to transfer data. Other companies use special contracts to legally transfer data, but the ruling went as far to say that those contracts are only valid if the companies can guarantee the data will be protected in line with EU laws even outside the region. The burden will be on the data exporters to ensure compliance with the new ruling by examining local legislation to identify when additional protective measures are needed or when data transfer is impermissible.

The decision could upend operations of many companies and billions of dollars from cross-border activities, including cloud services, advertising, and human resources if individual data is stored. Even video conferencing software that sets up a call between two individuals in Europe could run afoul of new regulations if it stores or transfers information about the participants outside the European Union.   Internal audit end slug


Stephanie Liu is assistant editor of Internal Audit 360°

Leave a Reply

Your email address will not be published. Required fields are marked *