The rise of the internet is one of the most critical events in the history of our species. It connected the world like never before and enabled people and businesses to rethink the traditional ways of doing things. The internet-enabled platforms and websites became an integral part of our lives and changed the way things worked. To better cater to their audience, these platforms and websites started tailoring the experience for each user, and all of this advancement required the collection of users’ personally identifiable information.

With more data collected by these platforms and websites, data privacy has become the top concern among internet users. The users wanted transparency into who can access the information collected, can the information be stored, read & shared without user consent, and can the information be used to track user’s online activity.

Moreover, businesses exchanged the data collected on the internet across the international borders, and soon, it raised government-level privacy concerns and how small & large companies used customer data. This led to the United States Department of Commerce and the European Commission developing a “Privacy Shield” framework to regulate data exchanges by businesses between the European Union and the United States.

What is Privacy Shield?

Privacy and protection of personal data are considered a fundamental right in the EU, and they have stringent data protection laws to protect people’s privacy. In the EU, everyone has the right to protect their data, access to data collected, and have the right to have it rectified. Also, they require that such data is processed fairly for specified purposes with consent or other legitimate basis laid down by the law.

These laws & frameworks ensure that people’s data in the EU is protected even when it is transferred outside of the EU. For example, when personal data was being transferred to the US, businesses exporting the personal data were reliant on the Privacy Shield mechanism.

The US Department of Commerce and the European Commission & Swiss Administration designed the EU-US and the Swiss-US Privacy Shield frameworks to support transatlantic commerce and provide businesses that transfer personal data from the EU & Switzerland to the US, with a mechanism to comply with their stringent data protection requirements.

Under Privacy Shield, businesses in the US had to adhere to the Privacy Shield Principles when handling EU governed personal data. The seven primary Privacy Shield principles are;

• Notice – Notify individuals about their data collection & its intended use.
• Choice – Allow individuals to opt out of the disclosure of their data to third parties.
• Accountability for Onward Transfer – Comply with Notice & Choice principle to transfer data to third parties.
• Security – Protect personal data from loss, misuse & unauthorized access, disclosure, alteration, and destruction.
• Data Integrity & Purpose Limitation – Ensure data is reliable & relevant for its intended purpose.
• Access – Allow individuals to access, correct, amend, or delete personal data collected from them.
• Recourse, Enforcement & Liability – Recourse for individuals who are affected by non-compliance with the Principles.

Why was Privacy Shield Invalidated?

It all started when various complaints from Maximillian Schrems, an Austrian privacy advocate, led to the dismantling of the “Safe Harbour” framework (predecessor to Privacy Shield framework) by the Court of Justice of the European Union (CJEU). This court case is now referred to as the Schrems I case.

Then Maximillian Schrems challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework. This court case is now referred to as the Schrems II case, and it occurred shortly after former NSA contractor Edward Snowden blew the whistle on classified US government surveillance programs.

The Schrems II case challenged the legality of this system, arguing that an EU adequate level of data protection cannot be ensured by Facebook, since US laws (like FISA 702 and EO 12.333) mandates mass surveillance in sharp contrast to EU law (like the GDPR) that mandates strong data privacy.

The CJEU then invalidated the Privacy Shield, a widely-used framework for personal data transfer to the US, and ruled that enterprises can use the Standard Contractual Clauses (SCCs), as long as the data controller, data recipient, and data protection authority in the EU member country deem the transfer to be able to ensure an adequate level of data protection.

The impact of Privacy Shield Invalidation on Supplier Governance

Today’s digital era has witnessed an explosion of business relationships and access of employees, customers, partners, and business-sensitive data governed by privacy laws. With the rise of SaaS apps, mobile apps, and growth in partners, affiliates & sub-contractors, we are witnessing an explosion of business relationships where companies may transfer personal data to other entities. This implies that PII data may be stored or accessed across hundreds of entities in many jurisdictions. When we add sub-contractors, Gig economy workers, the problem is compounded.

Many enterprises don’t know what personal data is collected and processed by suppliers and the suppliers’ locations.

Most enterprises would need to amend many supplier contracts – though without adequate process & tool support – there is a reasonable level of complexity involved.

Also, to understand the impact on their existing contracts, enterprises should have robust contract lifecycle management processes with a clear understanding of which contracts reference Privacy Shield and would need to be amended.

Does it impact mid-sized US companies that sell in the EU?

If a company processes personal data from the EU, it must comply with EU GDPR and other applicable privacy laws. However, suppose a mid-sized company collects data directly from the EU, and there is no other party involved; in that case, we are talking about GDPR Compliance and applicability in its entirety while transfers are one part of it.

A recent example would be the Irish authorities asking Facebook to keep data of the EU individuals in the EU.

What happens if the company is non-compliant?

In this global economy, where most companies, especially large companies, transfer data for multiple purposes and being non-compliant with GDPR or other data protection laws entails enormous fines (up to 4% of global turnover or 20M Euros, whichever is higher), reputation risks, and operational challenges & complexities.

Moreover, for companies that have been already transferring data, not having a legal means to transfer data is a massive challenge as they cannot stop data transfers suddenly & if they continue, they are at risk.

How does invalidated Privacy Shield impact Supplier Contracts?

The immediate impact is to review these contracts, especially the ones based on the Privacy Shield mechanism. In addition, these supplier contracts need to be assessed and redrafted based on another data transfer protection mechanism while mitigating the risks. If the data protection is inadequate, stopping transfers, accepting risks, or strengthening transfer conditions are available options for businesses.

How to avoid non-compliance in the supply chain after Privacy Shield Invalidation?

After the invalidation of the Privacy Shield, more than 5300 certified companies that relied on it as part of their contracts with suppliers need to act to ensure the legality of transatlantic data transfers.

According to IAPP, SCC is the most popular method (88% of respondents), followed by compliance with the EU-U.S. Privacy Shield arrangement (60%).

Using TPRM Tools & Automation

To avoid being non-compliant across their supply chain, businesses need to have solid processes and platforms for managing & assessing contracts to mitigate associated data privacy risks. There can be two broad categories of companies;

• Companies that have implemented a robust Third-party Relationship Management framework and marked contracts that involve personal data, location, and means of data transfers.
• Companies that don’t have easy access to this information across their organization-wide contracts.

Companies with a robust TPRM framework in place will have better operational insight into the flow of Personal Data to Suppliers, Sub-Contractors across locations. They can automate their Privacy Data assessments to mitigate risks involved with transatlantic data transfers.

In addition to this, tools and automation that use machine learning and artificial intelligence to determine which contracts reference PII clauses, GDPR or Privacy Shield and whether standard clauses have been adopted further strengthen the company’s efforts for data privacy.

Beyond the assessment of personal data and contract clauses, each privacy regulation (including GDPR) has robust requirements around the ability of individuals to request information on how their data is used and that their data should be removed/purged. Enterprises have a defined time by which they are required to respond to such requests. Without having an easy way to propagate such a request to Suppliers, it is difficult and expensive to ensure compliance.

In summary, this is a risk that companies need to mitigate. If transfers are based on the Privacy Shield, a contract revision is a minimum, while an assessment of all transfers is also recommended.

First Steps to avoid non-compliance for Data Privacy & Transfers

Once the companies have implemented a robust TPRM tool for their contract & supplier relationship management, they need to do the following three things to comply with data privacy regulations;

1. Identify Contracts that involve personal data transfers
2. Assess and redraft contracts (that are based on the Privacy Shield framework) with their legal and privacy teams.
3. Assess the risks for other contracts and plan a risk mitigation strategy.

How can Enlighta TPRM & Supplier Governance Platform help?

Enlighta offers robust Third-party Relationship Management and Contract Lifecycle Management functionalities to help enterprises ensure that they comply with data privacy regulations by enabling them to have;

• A Centralized Contract Library for all third-party contracts, amendments, and supplier documents.
• AI & ML powered Contract Extraction to automate identification & extraction of data privacy & security clauses and perform contract analysis for compliance.
• Enhanced Document Search to quickly search contracts using boolean, keyword, and proximity search terms and have automatic text recognition in images or scanned documents by Optical Character Recognition (OCR).
• Robust Clause Library to set up clauses for data privacy and auto-populate section fields in contract templates to easily include a data privacy clause in all supplier contracts.
• Contractual Obligation Management to easily manage and track data storage and protection obligations for suppliers with the ability to assign criticality & financial impact of such obligations.
• Contract Issues & Action Items Management to easily create (manual or automatic), assign, reassign, resolve, and close data privacy and protection issues across the contract life cycle.
• Ongoing Risk Assessment, Tracking & Mitigation to capture inherent, assessed & residual risks & track risk mitigation activities for data privacy and protection.