Data privacy is paramount for video communications, and Pexip is committed to keeping your data secure. In a recent decision, the Court of Justice of the European Union (CJEU) struck down a critical data-sharing agreement that allowed personal data to be lawfully transferred from the EU/EEA to the United States for storage and processing. Referred to as the EU-U.S. Privacy Shield, thousands of companies on both sides of the Atlantic relied upon this agreement when using services from providers such as Google, Microsoft, Mailchimp, Salesforce and thousands of others.
Because the court’s judgement took many by surprise and had immediate effect, customers and partners have asked how this decision impacts Pexip, including our actions taken to ensure that the transfers of data align with governmental and agency guidance. This post sheds some light on the history and context behind the court’s decision, and the actions taken by Pexip to ensure all data transfers and processing are lawfully made.
Understanding the Judgement: What Happened?
The EU-U.S. Privacy Shield was a result of the 2013 revelations made by Edward Snowden regarding U.S. foreign surveillance. An Austrian privacy activist and law student named Maximillian Schrems was concerned about the privacy of his Facebook information when it was transferred to the United States for storage and processing. Was his fundamental right to privacy being violated by foreign surveillance activity as revealed during Snowden’s disclosure? After very little assistance from the data protection authority in Ireland to investigate his complaint, Mr. Schrems filed a lawsuit against Ireland’s Data Protection Commission, claiming Facebook’s platform violated his fundamental privacy rights.
At that time, data transfers from the EU/EEA into the United States were not based on the EU-U.S. Privacy Shield; instead, transfers were made on a prior legal mechanism called the EU-U.S. Safe Harbor Framework. In the lawsuit of Schrems vs. the DPC (also called Schrems I), the European Court of Justice struck down the Safe Harbor agreement on 6 October 2015, finding the framework did not ensure a “safe harbor” of privacy and security on behalf of EU individuals against U.S. surveillance activity.
Working together over many months, the European Commission and the U.S. Department of Commerce built a replacement framework, and onFebruary 2nd, 2016, the parties reached an agreement on a new framework that enabled the lawful transfer of data to the United States. The new framework was called the EU-U.S. Privacy Shield, and it is that framework that has now been recently invalidated.
Guidance from Governmental Agencies
The matter of Data Protection Commission vs Facebook Ireland Ltd and Maximillian Schrems (also called Schrems II) has affected thousands of companies on both sides of the Atlantic. U.S. Secretary of Commerce Wilbur Ross estimates the economic consequence to be nearly 6 trillion euros (7.1 trillion USD). The questions are, what now, and what has Pexip done to ensure it is lawfully processing data?
21 governments and agencies have issued guidance, including the European Data Protection Board (EDPB). Speaking for the European Commission’s interpretation, Vice President Věra Jourová provides this guidance: “The Court of Justice declared the Privacy Shield decision invalid, but also confirmed that the standard contractual clauses remain a valid tool for the transfer of personal data to processors established in third countries. This means that the transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses.”
Next Steps for Pexip
In regard to Pexip and the services we use in the United States, standard contractual clauses have been enacted as a result of the guidance of the European Commission. This is the same guidance provided by the EDPB and many other data protection authorities. Following the lead of the global law firm DLA Piper, Pexip is also performing a risk assessment for each U.S.- based processor, reviewing the laws of the importer, individual right of redress, types of data imported, categories of data subjects, sectors in which the importer operates and the volume of data transferred.
The data protection community awaits further guidance from Data Protection Act’s and the European Data Protection Board, but in the meantime, the message is clear that ongoing data transfer using the EU-U.S. Privacy Shield is unlawful and subject to administrative action.
Pexip has given this matter immediate attention and we’ve taken swift action to comply with the guidance provided by governmental agencies to ensure lawful transborder flows and to ensure compliance with its subprocessors. For a full report and whitepaper regarding Pexip’s response to the EU-U.S. Privacy Shield Invalidation please reach out to your local Pexip representative. To read more about how Pexip upholds our high standards of information security, privacy and transparency for our customers, partners and employees visit our security page here: https://www.pexip.com/security
For questions around the privacy shield invalidation, please email firstname.lastname@example.org