EU July 2020 Privacy Shield Ruling

  • What happened?
    • The European Court of Justice invalidated the Privacy Shield, which many companies relied on to transfer EU data to the US.
  • Why was Privacy Shield invalidated?
    • The court deemed that the Privacy Shield failed to provide sufficient protection to EU data that was transferred to the US.
    • The court was particularly concerned about US intelligence agencies collecting EU personal data with minimal to no supervision.
  • How does this affect Persona/it’s customers?
    • In the same decision in which the court invalidated the Privacy Shield, it confirmed the validity of the Standard Contractual Clauses (SCCs) as a means of legitimizing international transfers. Recurly’s DPA has already been updated to include standard contractual clauses, so customers can continue to transfer data to Recurly in compliance with the GDPR.
  • Are the SCCs also at risk of being invalidated?
    • In light of the court’s concerns regarding US intelligence agencies collection of data, certain EU regulators have indicated they expect to see supplemental measures in place for transfers to the United States pursuant to the SCCs.
    • US intelligence information collection happens through two primary legal channels: Executive Order 12333 and FISA 702.
    • Pursuant to Executive Order 12333, intelligence agencies can gather information as it crosses trans-Atlantic cables without oversight by the courts or Congress.
      • Recurly supplemental measure - Persona encrypts merchants’ transaction data at rest and in transit, meaning any information the intelligence agencies would collect would be encrypted.
    • Pursuant to FISA 702, intelligence agencies can request access to communications involving non-US individuals from companies that maintain the communications accounts.
      • Recurly supplemental measures:
        • Recurly does not maintain any communications accounts on behalf merchants, so FISA 702 does not apply to merchants’ transaction data.
        • Moreover, if Recurly were to receive a request for merchants’ transaction data from an intelligence agency pursuant to FISA 702, Recurly would refer the requesting intelligence agency to the merchant as the controller of the data.