Betamax, Windows7, AltaVista… there are many things in life that should last, but due to misfortune, progress, or simply the uncanny inability to think ahead, they unfortunately end up falling flat on their proverbial faces never to be seen again. The latest head on the block? The EU-US Privacy Shield – the infamous 4-year-old data transfer framework very recently shot down in flames by the Court of Justice of the European Union and consigned to an eternity of eye-rolling and sighing at the mere mention of its name.
Until now, most US-based analytics, messaging and marketing automation vendors – upon which literally thousands of EU businesses rely – could use the Privacy Shield’s data transfer framework to host the personal data of EU citizens without compromising their customers and placing them at risk of being in breach of their obligations under GDPR. But the court was having none of it, citing – amongst others – concerns that the framework would leave personal data of EU citizens exposed to US surveillance. The long and short? US based marketing automation vendors can no longer point to the Privacy Shield as legal protection for hosting the personal data of EU citizens and therefore any EU businesses that continue to use such vendors may now be in breach of GDPR… Let’s dig deeper.
So, what exactly was the EU-US Privacy Shield – and why should you care about its demise?
When the GDPR was introduced just two short years ago, EU data being transferred to countries outside of the union was at risk of breach, surveillance and all the stuff you really don’t want your personal information exposed to. The EU-US Privacy Shield was concocted to deal with that, with the European Commission deeming data transfers between the EU and the US lawful. EU businesses were again able to confidently continue using US-based analytics, messaging and marketing automation vendors whilst still complying with GDPR.
Four years later, in July 2020, the commission’s decision was judged unlawful by the Court of Justice for the European Union, effectively ending the legal transfer of personal data between the EU and US – and leaving businesses on both sides clambering to determine the impact on their operations.
In response to the July judgement, many US-based vendors offering analytics, user engagement, push notification and other marketing automation services have simply updated their terms and conditions in a lazy attempt to assuage the concerns of those businesses entrusting them to protect their data once in their hands – but they’re updates that bring absolutely nothing to the table simply because they don’t have a leg to stand on when it comes to the law.
For businesses that transfer personal data from the EU to the US, this represents the worst of all possible outcomes. Standard Contractual Clauses, commonly utilized for transfers around the globe, will be subject to much closer scrutiny by data exporters and by EU regulators.
Bridget Treacy, data privacy partner at Hunton Andrews Kurth, London
The bottom line? If you’re an EU business using US-based marketing automation vendors that are either hosting your users data in the US – or transferring it there at any point – you could now be in breach of GDPR. It’s probably worth pausing here and inserting a timely reminder of the penalties – in the most serious of cases, fines can climb to an eye-watering €17m – or 4% of your businesses annual turnover – fines no one wants to be relying on finger-crossing to avoid.
How Kumulos keeps your users data safe – and in the EU
Connecting with customers in meaningful, valuable ways, driving engagement and creating long-term loyalty is holy grail for many EU businesses wanting to succeed in the 21st Century. Personalisation lies at the heart of these meaningful connections … powered by mountains of personal data and driven by the insights it provides. Keeping that data safe is not only critical to your success, it’s also critical in protecting the trust that your users have put in your hands. It’s time to ask – do you know where their data’s going? Where is it held? Which cloud computing service does your push notification vendor use? Where are the data centers physically located? Where do the off-site backups go? Now would be an opportune moment to review your vendors T&Cs and start asking some potentially awkward questions of them to ensure they’re playing ball and that your users personal information is safe and you are legally protected.
For businesses that rely on Kumulos, making sure the personal data they collect and trust us with is protected within a legally binding framework is critical to both them and us. That’s why we offer European businesses a fully GDPR compliant service – one where your data and any personal data of EU citizens that you collect will be held entirely within the EU. No ifs, no buts.
If you’re a EU business with an eye on the future you’d like to find out more about how we’re keeping data safe for our customers, or if you’d simply like to discover how we can help, let’s talk.