If you’re like me, over the last few weeks, you’ve scrolled past countless postings from panic-stricken lawyers with stark warnings about how the European Union’s (“EU”) invalidation of the EU-US Privacy Shield Framework will limit transfers of personal data from the EU to the United States (“US”). This isn’t the first time that the legality of such transfers has been called into question, and it won’t be the last. Instead of scrambling every few years to find alternative ways to transfer sensitive personal data to the US, there’s a better solution: don’t transfer it at all.

The Background

In the EU, data privacy is a fundamental right that extends to personal data (information that could identify someone such as name, email, or IP address), even when it’s transferred outside of EU borders1. You may not realize it, but such transfers occur in everyday activities, for example, when performing general HR functions (i.e. payroll, benefits, record keeping, etc.), when using SaaS/cloud software platforms, sending an email, or collecting cookie or customer data from website visitors. The EU imposes strict requirements on companies that effect these transfers, because many countries don’t afford the same level of protection to personal data2. The US is one such country, as was made clear in 2013 when Edward Snowden revealed the NSA was conducting mass warrantless surveillance on millions of people across the world3.

The Problem

In response to Snowden, the US and EU agreed upon a set of rules to legalize transfers of personal data from the EU, called Privacy Shield4. This allowed US companies to collect personal data from EU customers, or EU companies to use SaaS applications with servers in the US, for example. But like its predecessor (the “Safe Harbor Privacy Principles”)5, it was ultimately invalidated by the EU (without a grace period)6 for the same reasons that it was adopted in the first place: the US government’s broad access to data (which has largely remained unchanged since Snowden)7. Still, there are other ways to transfer personal data to the US8, but unless the US enacts fundamental changes to its treatment of personal data, it’s only a matter of time before those are invalidated too. The US is a major developer of SaaS/cloud software (CRM, email, storage, etc.), and organizations that rely on its companies to operate their business may be forced to find alternatives on a moment’s notice. HR departments within those organizations are hit particularly hard because certain transfer alternatives that might otherwise be available for “customer” or other types of personal data are limited in the employer-employee context9.

The Solution

Use your Virtual Private Cloud or “VPC” (which your company already has and uses for various functions) instead of SaaS, to leverage the full power of AI and your HR department. With your VPC, essentially you’re using your company-controlled servers to run everyday software (whether for developing leaders, running payroll, writing an email, or otherwise), instead of those controlled by your SaaS vendor. And, unlike a typical SaaS solution, AI can be deployed directly onto your servers, so analysis can occur where sensitive content lives, without moving it, or sacrificing the feel or convenience of SaaS. In other words, there isn’t a need to transfer sensitive personal data to an external SaaS platform, much less worry about transfer-related compliance headaches.

1 General Data Protection Regulation “GDPR” Recital 1 and Article 3
2 GDPR Article 44
3 https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order
4 COMMISSION IMPLEMENTING DECISION (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
5 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.)
6 Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems Adopted on 23 July 2020, #4.
7 C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems
8 GDPR Articles 44-49
9 GDPR Article Article 49(1)(a); GDPR Recital 43; Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/679

Josh Pittel, JD, ESQ, CIPP/US/E

Josh Pittel, JD, ESQ, CIPP/US/E

Josh is the Director of Global Privacy/Legal at Cultivate