The EU-US Privacy Shield has been struck down: what are the implications for EU companies using US software?
The EU’s rules around data privacy state that data cannot be transferred out of the EU unless appropriate safeguards are in place. On 16th July 2020, the European Court of Justice ruled that the current safeguards around the transfer of data from EU countries to the US were not adequate; that citizens’ privacy was not properly protected. The “Privacy Shield”, the name given to these safeguards, was struck down.
The main reason that the challenge was brought before the European Court of Justice was because a private advocate argued that US national security laws did not protect EU citizens from government intrusion.
What does this mean for EU businesses using US software?
US software companies use US-based data centres; that means that when you use these services, your data is stored in the US. However, this does not mean that your data is now unsafe. US companies can add what are called ‘SCCs’ – standard contractual clauses’ – to their contracts, which effectively replace the Privacy Shield on a company by company basis.
As you might expect, many US-based technology companies have either added SCCs to their contacts, or in many cases, already had them in place, just in case something like this happened.
However, SCCs on their own are not enough to transfer data to the US. Supplementary measures are needed. These measures ensure that the US government cannot impinge upon the adequate levels of data protection that the US company provides.
It’s important for all users of US based software to check that your provider not only has SCCs in their contracts, but also that their supplementary measures are fit for purpose.
As it is not uncommon for EU-based software companies to partner with US-based companies for some services (called sub-processors), it’s worth checking your software provider to ensure that their partners are protected by SCCs and supplementary measures, too.
Where are Fast SMS’s data centres?
For all of our SMS services, Fast SMS’s data centres are in the UK, which, although when it withdraws from the EU will no longer be governed by the GDPR, has incorporated this into UK law with the Data Protection Act 2018 and the Withdrawal Bill. So the data standards are the same in the UK as they are in the EU, and data can flow freely between the EU and UK. There is currently no requirement for SCCs between the UK and EU.