Last Thursday, the Court of Justice of the European Union (CJEU) issued its decision around the “Schrems II” case, effectively invalidating the EU-US Privacy Shield framework, one of the mechanisms that support transfers of personal data from the EU to the US.
Singular’s Attribution customers are not affected by this ruling; however, we understand that our customers and marketers, in general, may have questions about this decision. Note that if you’re using Singular for Analytics, we encourage you to reach out to your MMP for further details on how they are handling transfers of personal data from a compliance perspective.
The invalidation of Privacy Shield will likely impact thousands of US companies that rely on the framework. Thankfully, we already have a solution in place, “Standard Contract Clauses” (sometimes referred to as “Model Clauses”), to seamlessly continue receiving personal data from the EU despite the Privacy Shield’s invalidation. The CJEU upheld this approach in the Schrems II case.
What is Privacy Shield?
The US-EU Privacy Shield framework, aka Privacy Shield, is a mechanism established in 2016 by the United States government and the European Commission. Companies in the US who want to receive personal data originating in the EU for processing in the United States could voluntarily self-certify under the US-EU Privacy Shield framework and take on higher commitments to privacy to be considered “adequate” by the EU to receive personal data.
Singular and many other companies who are required to process personal data as part of its services, had certified itself under Privacy Shield.
What is the new ruling?
In Thursday’s judgment, the CJEU invalidated the US-EU Privacy Shield framework as a data transfer mechanism. The court held that given the disproportionate, mass and bulk access that US law enforcement and intelligence agencies have to personal data under US laws, the US-EU Privacy Shield framework does not provide sufficient protection to EU personal data per the GDPR. Therefore, the court’s striking down the US-EU Privacy Shield framework renders the Privacy Shield an invalid mechanism to support cross-border transfers of personal data from the EU to the US. The court’s judgment is effective immediately.
Singular is certified under the now-invalidated Privacy Shield. How can Singular continue to receive EU data lawfully?
Singular uses a solution called “Model Clauses” or “Standard Contract Clauses”, which was upheld by the CJEU in the Schrems II case. According to the Model Clauses solution, Singular’s data processing addendum (DPA) includes special data protection clauses adopted by the EU Commission as a mechanism to legalize cross-border transfers of personal data from the EU to the US. If you’re using our attribution services, you should have a DPA as part of your service agreement that includes the Model Clauses.
Are Model Clauses sufficient to allow cross-border transfers of personal data from the EU to Singular?
Based on the Schrems II case, Singular firmly believes the Model Clauses are sufficient. Under the Model Clauses, Singular is committed to notifying the customer immediately if it has reason to believe that it cannot comply with the Model Clauses due to US law enforcement or intelligence agencies requesting access to the data Singular has. Singular reaffirms this commitment and confirms that we have no reason to believe that we cannot comply with the Model Clauses.
The privacy landscape is ever-evolving – recently at higher speeds than ever before. Our security and privacy philosophy, as reflected recently with our response to IDFA changes in iOS 14 and SKAdNetwork, has always opted for a more strict approach, with a multitude of solutions for our customers. This philosophy translates to significant investments we are making by introducing more robust mechanisms to go beyond what’s minimally required by the standard compliance. Additionally, it means that we look at regulations such as GDPR and CCPA, and at standards such as COPPA with a more critical eye than otherwise required.
We continue to stay committed to ensuring your data on our platform remains protected and private.