On July 16, 2020, the European Court of Justice (ECJ) annulled the “EU-U.S. Privacy Shield” framework, which was accepted by the European Union (EU) four years back on July 12, 2016, and came into effect since August 01, of the same year. The ECJ cited gaps in the data security measures of the U.S. Surveillance Law and regarded them as “inadequate” to protect the data privacy rights of the EU citizens as defined under the General Data Protection Regulation (GDPR) formulated in 2018. Abiding by the judgment, Google, a tech giant that harnesses and uses personal data for certain features and apps, is all set to move towards Standard Contractual Clauses (SCCs) for transfers of online advertising data out of Europe Economic Area, Switzerland and the U.K.
By Mihir Bagwe, Tech Writer, CISO MAG
- EU-U.S. Privacy Shield was invalidated by ECJ on July 16, 2020.
- ECJ asked businesses to follow the Standard Contractual Clauses (SCC) provision.
- Google has already adapted the SCC for addressing its data transfer requirements of Google Cloud and G Suite products.
- It is now all set to move Google Ads to SCC from August 12, 2020.
- As a result, it will be updating their existing Google Ads Data Processing Terms, Google Ads Controller-Controller Data Protection Terms and Google Measurement Controller-Controller Data Protection Terms.
- The invalidation is proving costly and time consuming for many businesses.
Google Moves to Standard Contractual Clauses (SCC)
This is not the first instance of scrapping a data transfer framework between the transatlantic. In 2015, a similar framework known as Safe Harbor was taken down by the ECJ and thus, companies were asked to use the SCC to authorize the transfer of data across the continents. Similarly, the ECJ has again asked companies to revert to the SCCs and data regulators to keep a close eye on the GDPR compliance of the U.S. companies.
Adhering to this, Google has already implemented the SCC to address EU data-transfer requirements for Google Cloud Platform and G Suite. However, one of its most aggressively profit-making products – Google Ads – was still not aboard this ship. But this is all set to change on August 12, 2020. Google Ads has sent an intimation to all its users stating that it honors the ECJ’s ruling of invalidating the EU-U.S. Privacy Shield and is moving towards the SCC.
The effect of these changes will be seen in the existing Google Ads Data Processing Terms, Google Ads Controller-Controller Data Protection Terms and Google Measurement Controller-Controller Data Protection Terms. Google was also quick to clear the air that they are implementing the SCC only to fulfill the GDPR compliance and that these changes will not give them any additional data rights over its users.
Effects of EU-U.S. Privacy Shield Invalidation
ECJ’s ruling came as a shock to the U.S. Department of Commerce. However, it is optimistic and looking forward to improving the personal data privacy measures of the Privacy Shield. They strongly feel that the framework can be reestablished in the coming years for the ease of businesses between the two continents.
In the meanwhile, the existing members of the shield, of which 70% are small and medium-sized enterprises (SMEs), are facing an uphill task reverting to the SCCs in the wake of the ongoing pandemic. Many businesses have contracted resources and are bootstrapped on the financial front. The legal teams of software companies that solely relied on the Privacy Shield are scampering to update their terms and conditions and issuing updated versions of existing contracts if they wish to continue processing EU data. Companies are now completely dependent on their lawyers for creating thousands of new contracts, which also need to be signed manually as per SCCs requirement. Hence, this shift to Standard Contractual Clauses is not only proving to be costly but also a time-consuming affair.
About the Author
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.
Other Posts from the Author:
- Don’t Just be a Good CISO, Be a Successful CISO!
- OT-ISAC Virtual Summit Brings Together the Best Minds in APAC for OT/ICS Security
- Is the Co-existence of Security and User Experience in Media Industry Possible?
- COVID-19 Pandemic is a Silver Lining for Cybersecurity