Connect with us

Business

What U.S. companies should consider following the bombshell EU Privacy Shield ruling

Published

on

Our mission to help you navigate the new normal is fueled by subscribers. To enjoy unlimited access to our journalism, subscribe today.

If you’re an American company with European users or customers, and you transfer their personal data to the U.S. for company use, you need to be aware of what just went down at the EU’s top court today.

That’s because the Court of Justice (CJEU) just made a huge ruling. The upshot: it’s possible you will no longer be able to serve people in the EU—if not now, then in the not-too-distant future.

You can read our full story on that ruling separately, but here’s a quick run through the implications. And again, those implications could be immediate, depending on your circumstances.

Privacy Shield

U.S. companies using Europeans’ personal data need some sort of legal justification for doing so. That’s because the U.S. lacks an EU-strength federal privacy law (or indeed any comprehensive federal privacy law at all.)

By far the easiest way to keep things legal was to sign up to the so-called Privacy Shield register—essentially, self-certifying that the company will stick to EU rules. This register was created under a trans-Atlantic deal of the same name, struck between the U.S. and EU in 2016.

That deal is now dead. The CJEU on Thursday cancelled it with immediate effect, basically for two reasons: it didn’t stop U.S. intelligence from poking around companies’ data even if they were on the list; and there was no effective way for EU citizens to file a complaint about this in the U.S.

The U.S. Department of Commerce reacted by indicating it would be, in a sense, business as usual. In a statement expressing disappointment with the ruling, the department said it would “continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”

“Today’s decision does not relieve participating organizations of their Privacy Shield obligations,” it added.

The Europeans beg to differ. To paraphrase Monty Python’s Dead Parrot sketch, Privacy Shield has passed on; it has kicked the bucket; it has shuffled off its mortal coil, run down the curtain and joined the bleeding choir invisible. It is an ex-agreement.

So you can continue to abide by the register’s obligations—essentially, respecting EU privacy law as best you can—but that no longer means your EU-U.S. data transfers are legal in European eyes. Which was the whole point of the register to start with.

(There may still be a legal reason to keep those promises over in the U.S., though. “Companies that have made privacy promises under Privacy Shield could be subject to enforcement for deceptive practices if they do not live up to those privacy promises,” said Peter Swire, a senior counsel at law firm Alston & Bird.)

Eline Chivot, senior policy analyst at the Center for Data Innovation, described the impact well in a statement Thursday: “The decision delivers a severe blow to the operations of over 5,000 European and American companies who use the EU-U.S. Privacy Shield as the legal basis for transatlantic data transfers. It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative.”

Standard contractual clauses

But what if Privacy Shield isn’t your only legal basis for those transfers?

Some U.S. companies such as Facebook (the firm involved in this particular case) and Microsoft have for years also been relying on a mechanism called “standard contractual clauses,” or SCCs. These are, as the name suggests, oven-ready clauses that the European Commission wrote, again outlining a range of rights and responsibilities in line with the EU’s strict GDPR privacy law.

The court did not strike down SCCs, though it had the option to do so.

It said SCCs were fine in general because an EU privacy regulator can still invalidate them on a case-by-case basis if a company is breaking the clauses’ terms or is unable to stick to them—because, say, it can’t stop the intelligence services back home from conducting mass surveillance on the data.

This is where the striking-down of the Privacy Shield becomes a problem for Facebook and any other big American tech company relying on SCCs to send Europeans’ data over to the U.S.

Although the Snowden revelations of 2013 led to some limited reforms in U.S. surveillance law, Section 702 of the Foreign Intelligence Surveillance Act (FISA) still allows for the mass collection of non-Americans’ personal data from Big Tech firms.

Some in the U.S. argue that surveillance only starts when the agencies actually look at the data—which is a more restricted activity. But the Europeans see surveillance as starting at the point of collection. So in European eyes, the U.S. regularly conducts mass surveillance on Europeans’ data—and there’s nothing the U.S. companies handling that data can do about it.

That’s serious enough to have scuppered Privacy Shield (and its predecessor, Safe Harbor) so it is difficult to see how the SCCs used by a company like Facebook can survive if challenged before an EU privacy authority.

“Although the system of standard contractual clauses will remain in principle and the standard contracts concluded will initially remain in force, they will have to be reviewed and, if necessary, suspended by the data protection authorities in the light of the [CJEU] ruling,” wrote former German data protection chief Peter Schaar in a blog post.

So what now?

Of course, not every American company serving Europeans is a Facebook or Google. If you don’t have U.S. agencies scrutinizing your data under Section 702 of FISA—if, for example, you’re an airline or a retailer—then SCCs could still work for you.

The big difference now is that you’ll first have to convince EU privacy regulators that European customers’ data isn’t subject to surveillance in the U.S.

“Data exporters and importers using the standard contract clauses must verify the level of protection in the [country where the data is going] first.  The importer also has a duty to report any issues to the exporter,” said Tony Vitale, a partner at JMW Solicitors, in a statement.

And if your processing of Europeans’ personal data is “necessary” for the fulfillment of your user contracts—if you’re an email provider handling emails, for example—then that’s also automatically kosher under EU law.

“The court explicitly highlighted that the invalidation of the Privacy Shield will not create a ‘legal vacuum’ as crucially necessary data flows can be still undertaken,” said Max Schrems, the litigant who brought the case, said in a statement after the ruling came through.

But an awful lot of U.S. companies, big and small, are still likely to be flailing around now, looking for a legal solution to a problem that abruptly landed in their laps on Thursday morning.

The only reliable, long-term solution would be changes in U.S. privacy and surveillance law. Expect to see Silicon Valley’s lobbying efforts step up on that front very soon.

More must-read international coverage from Fortune:

Continue Reading
Comments

Business

Russia Claims It Has the World’s First Coronavirus Vaccine

Published

on

The vaccine has not completed clinical trials but President Putin says it works ‘quite effectively.’

Continue Reading

Business

BROWN GIRL Jane Partners SheaMoisture For New $250,000 Fund For Black Beauty Brands

Published

on

Malaika Jones Kebede,

The new conversations centered around racial injustice have caused a revolution in many industries, demanding corporations to diversify everything from their workforce to the products being sold to consumers. This week, Brown Girl Jane, a plant-based beauty and wellness company, announced its new initiative and partnership with SheaMoisture to amplify Black entrepreneurs within the beauty industry.

#BrownGirlSwap is an initiative designed to amplify and support Black-owned independent beauty and wellness brands in the industry. The initial idea started as a pledge to swap out your beauty products with Black-owned companies which developed into a more intensive program. “This year has been such a whirlwind [for us] with so many things happening. [We conceived the idea in] early June at the time as a lot of the social justice movements [with] a new focus [around and economic empowerment],” said Malaika Jones Kebede, CEO of Brown Girl Jane in an interview with BLACK ENTERPRISE.

“My team and I really wanted to start something that was simple and doable but that would potentially have a ripple effect and so we came up with the idea of the brown crosswalk, which really is a simple idea asking consumers to pledge to just swap outside of their everyday beauty and wellness products for those made and by Black women founders and owners.”

The grant will help cover a new entrepreneurship program offering business-to-business mentorship with seasoned executives from SheaMoisture and beauty conglomerate, Unilever in addition to a virtual summit presented by both brands centering around Black beauty creators in September called The Black To Business Summit.

“It’s important for us to create and partner on opportunities and spaces that encourage the growth of women of color in business. Our Community Commerce purpose-driven business model enables us to invest in Black female entrepreneurs around the world. As a brand, we have always invested in the underserved, by providing access to opportunities and resources which help to create lasting value for entrepreneurs and their communities,” said Cara Sabin, CEO of SheaMoisture, in a statement to BLACK ENTERPRISE.

“We were so inspired by BROWN GIRL Jane’s three dynamic founders, and the ability of other Black beauty founders to build dynamic businesses. Our brands connected even further over the shared mission to support and uplift these businesses as we continue SheaMoisture’s long history of meeting Black women’s unique needs in personal care.”

 

View this post on Instagram

 

Hey, Tribe! ⁠ ⁠ Supporting black businesses, especially those owned by women of color (WOC), has always been important. Now, even more so. ⁠ ⁠ Recognizing the importance of supporting WOC in the wellness and beauty industry in particular, we invite you to join us in @BrownGirlSwap. ⁠ ⁠ WHAT IS IT? ⁠ ⁠ How many of us buy wellness and beauty products that could easily be swapped for Black-owned WOC brands? Nail polish? Serums? Um, CBD tinctures? Lipstick? Candles?⁠ ⁠ The list goes on and on. The @BrownGirlSwap calls on you to consciously commit to swapping FIVE of your common daily products for a brand that is owned by a WOC. This is an easy, simple way to start and put your (real) dollars behind change.⁠ ⁠ So, Sisters and Allies- join the @BrownGirlSwap and show us just how easy it really is. Tag #BrownGirlSwap in your videos, pictures and posts to encourage your friends to join in.⁠ ⁠ #browngirlswap

A post shared by The Brown Girl Swap (@browngirlswap) on

Continue Reading

Business

TheBoardlist—a leading advocate for putting more women on corporate boards—opens its platform to men of color

Published

on

The movement for gender diversity on corporate boards has made real progress in the past decade, inching past the long-sought milestone of 20% female representation on Fortune 1000 boards in 2017. But while that effort has always aimed to include women of color, broader racial diversity has never been its first priority.

Now, one of the leading organizations pushing for more gender-inclusive boards is expanding its mission. TheBoardlist, a platform that connects companies with qualified women ready to serve as directors, will now allow men of color to participate in its service, the company announced Tuesday. That decision takes the power and influence of the largely successful movement to improve women’s representation on corporate boards and puts it behind the push for boards’ racial diversity, which has been backed by far fewer resources.

“Our broad lens was always diversity. Our starting point was gender,” says theBoardlist founder Sukhinder Singh Cassidy. “We’ve always known at some point we would expand. There’s no doubt that the acceleration of racial equity as a cultural issue and a business issue definitely led us to say this is the right time.”

Within the Fortune 500, white men hold 66% of board seats, theBoardlist says. Another 18% belong to white women. Nine percent of Fortune 500 board directors are Black men or women, 4% are Asian, and 4% are Latino.

TheBoardlist began with advocating for women, Singh Cassidy says, because the issue was a “very obvious and large starting point.” Many other champions of corporate diversity have had a similar approach—including in state legislatures, where lawmakers have issued gender-based quotas for public companies, but have not yet done the same for race. (Illinois attempted to legislate on both fronts in 2019, but saw its final bill watered down by the time it reached the governor’s desk.)

Lawmakers and advocates have often hoped that gender would “open the door” to a broader conversation about diversity, says California State Sen. Hannah-Beth Jackson, who introduced the state’s groundbreaking boards legislation.

That hasn’t always turned out to be the case. In states that have led on gender diversity on boards, racial diversity is certainly on lawmakers’ radar—but none have moved forward on the problem yet. “I suspect that issue will come up eventually, but I don’t think it’s top of mind for most folks,” says Washington State Sen. Jamie Pedersen, citing the more immediate pressures of the pandemic and police reform; Pedersen introduced the state’s board gender diversity legislation, which was enacted in March. Jackson is retiring so she won’t be leading any boards legislation on racial diversity in California, but she says the issue has come up among her colleagues and she expects to see some action.

The movement for board diversity involves other stakeholders besides lawmakers and advocates, from the companies naming candidates to these seats to the outside firms that help businesses navigate inflection points like initial public offerings. Goldman Sachs this year announced it would not take a company public unless it has at least one “diverse” member of its board; that language doesn’t leave out racial diversity, but it doesn’t explicitly require it either.

“I think you’ll see not just legislators, but people who are involved in taking companies public, or in corporate governance,” predicts Singh Cassidy, “they’ll all broadly trend towards this initiative.”

More on the most powerful women in business from Fortune:

Continue Reading

Trending

Copyright © 2020 Black Biz Daily News