In July, the European Court of Justice ruled that the Privacy Shield, which allows for the transfer of data on European Union (EU) residents to the United States, is invalid. Privacy Shield certification was granted to companies if they met certain requirements regarding data security and information use.
The agreement between Washington and Brussels ensured that U.S. companies adhered to EU standards on data protection and privacy. In exchange, businesses were able to shift personal data on EU residents. But the high court ruled that American laws do not provide adequate protection for personal data.
While the ruling does not entirely kill data transfer, it still has major implications for users of ERP software systems and other businesses that hold information on European customers, suppliers, and employees, and want to move it across the Atlantic.
As a result, U.S. businesses that have been shifting personal data to America from the EU now need to find a new process or they will face potential fines under Europe’s General Data Protection Regulation (GDPR).
ERP Users Need to Adapt
More than 5,300 American companies were Privacy Shield participants, including hundreds that have been shifting ERP data to the U.S. from Europe.
Although the ruling continues to allow one annual data transfer, there is a complication that must be taken into account: ensuring that transferring data does not add any additional risks to security. The European court makes it clear that a more in-depth assessment of an organization’s data collection and transfer process is required.
What this means for ERP users – along with any other business shifting personal data into the United States – is that they need to evaluate the sensitivity and volume of data transfers as well as whether there is a genuine business need to move the information into the United States.
To justify data transfers, ERP users must assess what type of additional data security safeguards are required. While data can still be transferred “if necessary,” some clients are telling us that they are considering barring any transfers altogether.
Greater Compliance Burdens
While the Privacy Shield was a single set of compliance requirements covering all personal data, because the European court decision continues to allow Standard Compliance Contracts (SCC) the lives of chief information officers’s and chief information security officers have become even more complicated. This is because SCCs are specific to each data movement. A large organization might have hundreds of SCCs in place.
Compliance officers need to work closely with counsel to understand not just what the ruling means but to understand data flows across the entire company – often one of the key purposes of ERP.
Businesses now are required to evaluate each data transfer recipient to determine whether they provide an adequate level of protection. This means assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes, and what safeguards are available. Few businesses are able to make those assessments.
Another U.S. – EU Clash on Privacy
This is the second time the European court has struck down a data transfer agreement between the EU and Washington, the first being when it invalidated the so-called “Safe Harbor” rules. The U.S. needs to adopt a tough privacy and data security law, as national regulations are sorely needed. Privacy reform should be crucial for the business interests of Silicon Valley and all ERP users.