The EU-US Privacy Shield Invalidated: What Does This Mean for Your Business?

  • UPDATED: 01 September 2022
  • 6 min read
Reading Time: 6 minutes

In the age of hyper-personalisation, data is considered the new oil that runs the engine of intelligent customer engagement in an increasingly customer-obsessed world.

Regulatory bodies and brands around the world have wrestled with the need to find a balance between how data should be allowed to be used vs protecting individual rights to privacy and how to regulate that information flow.

Following a complaint, mostly targeting Facebook, on July 16th, 2020, the Court of Justice of the European Union effectively invalidated the EU-US Privacy Shield due to concerns around the US courts having a different view of what can be seen as legitimate access, especially by law enforcement and government bodies.

I’m happy to share that MoEngage is 100% compliant with the new ruling. MoEngage has EU-based data centers and any information related to EU customers does not leave the EU jurisdiction. 

However, as a consumer brand marketer, you might have questions about the invalidation. That’s why, I’ve included information about the Privacy Shield, how it was used by technology companies, the impact of the invalidation on consumer apps, and my thoughts on why privacy regulations are important in the below sections – take a look.

The EU-US Privacy Shield is an umbrella policy that requires companies to comply with the GDPR  guidelines while transferring personal data to the US. (NB there has always been an additional set of protections under “ Standard Contractual Clauses” which are more specific in nature and applied individually in contracts between companies with EU data citizens but US-based data centers), this practice has not been invalidated due to the individual nature of the clauses, the practice is wholly validated without additional checks either.

Why Does It Matter?

Over 5000 companies have legally transferred data on EU Data Subjects from the EU to the US under the privacy shield for the legitimate purpose of providing their services. Now that several findings have shown that the shield could not provide the same level of protection that was provided to EU residents under the GDPR, the policy has been struck down. The US is now considered a third party country with no special arrangements to process the data of the EU users. This essentially means that organisations that transferred data from the EU to the US will have to use robust SCC clauses unless and until a new umbrella policy is agreed.

How Have Technology Companies Used the Privacy Shield?

  • Technology companies: Major tech giants such as Microsoft, Google, and Facebook had signed up to EU-US Privacy Shield to facilitate the transfer of personal data from the EU in a safe manner. Data is routinely transferred from the EU to the US when users fill forms on websites or while making credit card transactions. Advertising platforms such as Facebook and Google have leveraged that data for creating very profitable personalised and targeted ads aimed at EU-based customers. The privacy shield effectively meant Facebook could legally use EU data to display relevant ads to users.
  • Consumer apps: Whenever a user downloads an app, they are asked to permit the apps to access personal information such as their name, age, location, credit card details, etc. Mobile apps also collect information about the device and usage and activity. They collect information such as the device’s OS, OS version, geolocation data, browser type, WiFi connection data, IP address, etc. ‘Compliance-focused’ Mobile apps believed that this information sent under the surveillance of the EU-US Privacy Shield was safe. The purpose was meant to offer better services and experience to app users.
  • CDPs, customer engagement, attribution platforms, and other forms of Marketing Technology: CDP collects all the data of a customer from various sources and consolidates it in a single view to enable marketers to segment the customers and hyper-personalise their campaigns. Attribution platforms, on the other hand, provide marketers with the details on the effectiveness of their campaign and to identify what led to successful app installs. They also measure other factors such as the event that led to the user making in-app purchases. This helps marketers understand what works and what does not and focus their investments better. Engagement platforms enable marketers to use data to send highly targeted and therefore relevant personalized messages to people.
  • The EU-US Privacy Shield was intended to make it enforceable for organisations to comply with GDPR standards of data protection regulations while transferring personal information of  EU citizens to the US.

The Impact of the EU-US Privacy Shield’s Invalidation on Consumer Apps

Consumer apps largely depend upon customer data to not just send targeted ads but also to enhance the customer’s experience. With the new ruling invalidating the privacy shield, consumer apps will come under tighter scrutiny, and brands that use them will have to take additional steps to disperse their responsibilities to their customers. According to Dan Frank, principal of Deloitte Advisory Cyber Risk Services, data transfer could be stopped and hefty monetary fines can be slapped against a company if they are found to be ignoring the invalidation of the privacy shield. The scrapping of this framework may have a huge impact on consumer app providers, especially the small, medium-sized ones who until now paid less attention to SCCs. They will be compelled to update their privacy processes to continue receiving EU data. This does not mean that they cannot work with non-EU companies or vendors. It just means that the new development is going to pose fresh and variable challenges for app providers in receiving data. They may have to create thousands of Standard Contractual Clause contracts to continue receiving data, which could be time-consuming and costly.

What Are the Alternatives?

Now that the EU-US Privacy Shield has been invalidated, app providers can use the following alternatives to continue offering an enhanced experience to its users.

  • Standard Contractual Clauses (SCC): The SCCs are a set of contractual terms and conditions that the sender and receiver sign to ensure that sufficient safeguards are in place to protect the data that is being transferred internationally. Companies have the option to either follow the model contract provided by the European Commission or can draw up their own contract to provide a guarantee on data protection. Under this clause, if the country is unable to provide protection, the personal data flow will be stopped immediately. Google has agreed to abide by SCC to move advertising data out of Europe Economic Area, Switzerland, and the UK.
  • Binding corporate rules: These rules are applicable for companies that want to make intra-group data flow. It enables the companies to exchange data outside the EU within the same group of companies without flouting the GDPR laws.
  • Consent from the data subject: The third alternative is to receive full consent from the data subject to transfer their data to a third-party country.

How Does MoEngage Stack-up Against the Ruling?

MoEngage offers mobile app providers and websites deep insights into how end-users interact with their apps; we have ALWAYS ensured that our platform is compliant with GDPR, CCPA, and EU-US Privacy Shield. Our full privacy policy is accessed here. We are committed to helping brands provide a personalised experience to their customers without compromising personal data. For this reason, MoEngage has EU-based data centers, that are ring-fenced. All information related to EU customers does not leave the EU jurisdiction and therefore remains 100% complaint. App providers who have partnered with MoEngage do not need SCCs and need not worry about the new invalidation of the EU-US Privacy Shield. They can be assured that their data is not getting transferred to the US. 

Final Thoughts

We cannot stress enough on the role of data in personalising the experience for customers across online and offline channels. Marketing and user experience could not have reached this level of sophistication without data. However, we cannot ignore the fact that customers have to be able to trust that their data is safe when they share it with companies. Hence it is imperative that companies adhere to the compliance laws and incorporate them as a part of their best practices and corporate culture. Customer trust is paramount for a company’s success; it’s crucial not to lose it.

Other Articles to Bookmark

  1. GDPR considerations for holiday email marketing campaigns
  2. GDPR for marketing automation – What marketers need to know
  3. One year of GDPR and its impact on mobile app marketing
  4. Five things every online store owner should know about GDPR
  5. GDPR – Understanding the game change