News about the invalidated EU–US Privacy Shield has resulted in many questions from advertisers in the EU on the impact on their digital marketing activities.
Many of these organisations rely heavily on US-based marketing and analytics tools and vendors like Adobe, Facebook, Google, LinkedIn, Xandr and many more.
The Privacy Shield
On July 16, the CJEU (Europe’s top court) has invalidated the EU–US Privacy Shield, effective immediately. This means that US companies that depended on the Privacy Shield for data transfers before, must now find other options to avoid illegal transfers of personal data from the EU in violation with the GDPR.
Other Legal Mechanisms
For now, another EU–US data transfer mechanism – the Standard Contractual Clauses – remains intact. However, the main reason for the CJEU to invalidate the Privacy Shield is that it cannot guarantee sufficient data protection in the US. This has been based on US laws that provide intelligence and security agencies the rights to see and use any data from EU citizens without limitations. Now the point is that the Standard Contractual Clauses are only valid when the same level of data protection can be guaranteed as the Privacy Shield required – which is highly unlikely with the US laws in place.
What Vendors Say
Asking around at various vendors results in the broadly the same statements:
Vendors are closely monitoring the latest developments, researching what the impact on their business could be, and awaiting further guidance from EU data protection authorities. Pending further guidance, they expect to continue operating under the Standard Contractual Clauses.
What is Next
Checking with the local Dutch Data Protection Authority in the Netherlands, they state that the European Data Protection Board (EDPB) is now researching the practical implications.
Based on this, the EDPB will provide guidance on additional measures that organisations can include in model contracts as soon as possible. Until arrival of further guidance, there is not much advertisers in the EU and their vendors can do. However, it can be expected that the various contracts and agreements involved will have to be adjusted at a minimum. While in the end, the maximum impact could be that EU data may not be transferred to the US at all – and all vendors should keep EU data at EU-based data centers only.
Want to know how this might influence your business?
Currently we're still awaiting further guidance from the EDPB. Based on the outcome we'll post a new update & will dive into some of the more possible technical underlying effects.