For global organizations, the flow of data between regions keeps business moving forward. Ensuring that flow of data meets all applicable regulatory and compliance standards is especially critical as it impacts customer loyalty and retention, profit margins and overall organizational trust and reputation.
However in June 2020, the Court of Justice of the European Union (CJEU) ruled that the data-sharing agreement between the European Union and the United States was no longer valid. The European top court determined that the Privacy Shield certification currently in place did not sufficiently protect European citizen data. The European Commission requires that companies adhere to an “adequacy standard” when it comes to the transfer of data from Europe to another country. This adequacy standard requires that countries utilizing European citizen data uphold privacy protection standards similar to those found in the General Data Protection Regulation, particularly as they relate to data controller obligations and data subject rights.
The specific criteria for meeting this adequacy requirement is outlined in Article 45 of the GDPR. In short, the following must be upheld: a legislative framework that safeguards privacy rights, enforcement jurisdiction, international commitments to the protection of data subject’s rights, and independent data privacy authorities with regulatory oversight.
The Privacy Shield’s Purpose
The Privacy Shield was designed to enhance privacy rights in a manner consistent with the GDPR, including upholding the indispensable privacy principles of security, choice, integrity, access, accountability and enforcement. In addition, one of the most important aspects of the Privacy Shield was comprehensive access, monitoring and enforcement structures. The Privacy Shield would also have protected against indiscriminate mass surveillance of European citizen data and set clear limitations and safeguards to data access by public authorities and law enforcement.
The adequacy of the Privacy Shield was challenged on the basis that it lacks sufficient protection of privacy rights. In reaching their decision, the court expressed concern that the interests of U.S. national security and law enforcement have primacy over individual data privacy rights. In addition, the court asserted that the Privacy Shield frameworks did not offer independent dispute resolution at no cost and mechanisms for European citizens to seek redress in the U.S.
So, what does this mean for U.S. organizations operating on a global scale?
The CJEU’s decision impacts more than 5,000 U.S. companies that previously relied upon the Privacy Shield to transfer data from Europe. In the event of non-compliance, U.S. companies may be subject to EU enforcement in accordance with the GDPR protections.
Fortunately, there is an alternative so global companies can keep data flowing. The court left open that Standard Contractual Clauses were an appropriate method for data transfers moving forward, contingent on a case-by-case evaluation of the merits of the clauses.
For companies that now need to rely upon Standard Contractual Clauses, it’s important to keep in mind the following required criteria:
- The privacy laws of the country in which EU citizen data will be transferred to need data privacy protection consistent with the GDPR.
- Organizations must do their due diligence of the governing legislation related to accessing and processing personal information prior to transferring such data.
- If the jurisdiction of the destination country allows for releasing personal information to domestic surveillance entities or law enforcement, additional provisions must be added into the Standard Contractual Clauses that further safeguards individual privacy rights.
- Organizations must also bear in mind that EU Supervisory Authorities have the authority to prohibit data transfers should companies not fully meet the adequacy standard.
However, the case-by-case assessment required to ensure compliance places considerable barriers to overcome, and potential risks.
Leveraging AI to Mitigate Risk
The challenges incur when manually reviewing and analyzing corporate contracts. It is tedious, time-consuming and labor-intensive for compliance officers and their teams. It’s also an error-prone process as key phrases and clauses can be missed when reviewing tens, hundreds or even thousands of pages of contracts manually.
Not properly reviewing and analyzing contracts for relevant privacy stipulations can cause compliance risks, including litigation and hefty fines which can impact a company’s bottom line.
Global organizations can automate the review of contractual terms by applying artificial intelligence to contracts and other enterprise data. Here are three ways AI can make managing Standard Contractual Clauses easier.
- Improve your contract and compliance workflow by leveraging process intelligence technologies. Process intelligence is the collection of data used to analyze business process and workflows in order to gain process efficiency. It helps organizations discover and measure how current processes work, identify process bottlenecks, and surface areas for process optimization. Infused with AI/ML-based predictive analytics, process intelligence allows users to proactively identify the outcome or performance of any process instance in the early stages of the process execution. This enables compliance teams to detect and receive alerts of actions that may be valuable or cause risk to the organization.
- By applying AI to data, content intelligence provides human-like understanding of contracts by utilizing natural language processing (NLP) and machine learning frameworks to extract and validate key clauses and data from even the most complex contracts and forms. This transformative approach transforms unstructured content into structured and actionable information ready for further processing in intelligent automation platforms such as robotic process automation (RPA), business process management (BPM), and leading electronic resource processing (ERP) systems, thereby accelerating compliance analysis.
- Augment staff with self-sufficient digital workers through RPA platforms. Digital workers empowered with content IQ skills to read, understand and extract data from content make the digital workforce smarter and can truly enhance your human workforce. Staff will eventually delegate more tasks to AI and when relieved from repetitive, standard procedure tasks, they can focus their time and valuable expertise on activities that utilize their resources better.
As business leaders in an era where data plays a bigger role in a company’s bottom line than ever before, it’s imperative to hold data privacy as a paramount concern. C-suite leaders must be agile in responding to the implications of the EU privacy shield decision and prompt in ensuring that their organizations meet privacy compliance standards.
Commentary by Anthony Macciola. Here’s what you’ve missed?
World’s Best (And Worst) Countries For Older People To Live In
Countries With The Largest Household Size.
The World’s Best Non-Native English Speaking Countries.
Best Countries For Business In Europe For Non-European Investors.