July 21, 2020

EU-US Privacy Shield No More – What’s Next?

EU-US Privacy Shield No More – What’s Next?


On July 16, the Court of Justice of the European Union (CJEU) struck down a fundamental principle to transferring personal data from the EU to the United States. Thousands of American and European companies with transatlantic business relied on Privacy Shield. This news massively impacts their business and plans of moving to the cloud. 

Privacy Shield No More

The Privacy Shield was an agreement between the U.S. and the EU in 2016 to allow businesses to transfer data while ensuring compliance with data protection regulations. The direct implication for these businesses is they can no longer rely on Privacy Shield as the framework for transferring personal data from Europe to the United States. 

Without going too deep into the ruling, the invalidation of this primary transcontinental regulation could destabilize the standard methods data is transferred between nations and give more momentum to the data residency and localization trend we have seen in recent years. How can companies that rely on this regulation continue operating their businesses within compliance and keeping their global expansion plans intact?

The ruling expects companies that export EU personal data to evaluate whether such data transfers have satisfactory protection. If they don’t, enforcement action could be taken. Companies could sit back and see how this develops. However, the EU has recently made it clear it is now focusing on GDPR enforcement, which this effort will be part of. Hence, the risk of this approach is enormous. The fines that may now be imposed by data protection under GDPR can be up to 4 percent of a company’s revenue. While penalties to this extent have not been imposed yet, the risk business leaders would take with doing nothing is enormous.

How Can Data Localization Help

Regardless of the requirements and regulations imposed by different countries or jurisdictions – data localization – appropriately done, is the solution for companies that want to avoid future enforcement actions by storing regulated data, in this case, personal data, in the countries of origin. This must be done in an efficient manner where it doesn’t impact the overall cloud and data strategies they have deployed or hinder their applications, legacy, or SaaS ones. Done improperly, keeping all data in their countries of origin (Europe here), would be an expensive endeavor subject to substantial technical challenges. Instead, by only focusing on a narrow subset of their data, which is regulated, being compliant becomes a much cheaper undertaking.  

The Global Impact  

Geopolitically, this Privacy Shield ruling will be sending echoes across the world, just like GDPR did. Its impact could have more of an effect on data flows from other countries, such as China, Russia, and Japan. The strategy companies must take to solve this challenge must be a global one, and repeatable to multiple regions and countries worldwide. InCountry’s availability in more than 80 countries allows companies to distribute and localize data as necessary.

InCountry Global Compliance

It’s important to note that while regulators across the world continue to ask for increased data protection and oversight, w see customers getting ahead of the trend and setting their cloud strategies to stay compliant with regulations as these get refined and enforced. For example, a global utility company operating in Europe wanted to localize specific data in the U.S. While the laws did not require this, the customer felt more comfortable doing so to stay in compliance with their partners across the pond. 

Another European customer needed specific data from one of their SaaS applications that are typically served from a data center in Europe to be localized and serving their American employees and partners in the United States. A third customer has asked even to localize certain types of data that their local regulations are not asking for, but their business requirements do. 

InCountry Compliance Stack

Whether you rely on legacy applications or modern SaaS, InCountry allows customers to stay ahead of compliance challenges with an end-to-end solution. To learn more, contact our sales team.