Updated September 2, 2020
On July 16, 2020, the Court of Justice for the European Union (CJEU) made a historic Privacy Shield ruling, effectively upending business as usual on both sides of the Atlantic. Without this legal foundation, affected organizations are now forced to immediately reimagine or completely halt the transfer of Europeans’ personal data between the EU and the U.S. – or risk violating strict European data privacy laws. While an enhanced Privacy Shield discussion is in the works, no concrete details have been shared yet.
Nylas customers can rest assured their data is secure by leveraging our European Data Residency offering – at no additional cost!
In this blog, we’ll share what the ruling means for you along with how to take advantage of our EU Data Residency. We’ll also explain how to maintain compliance with European privacy standards while fortifying your business against legislative uncertainty.
What Does the EU-US Privacy Shield Ruling Mean For You?
Privacy Shield, a transatlantic agreement established in 2016, served as the primary legal justification for the transfer of Europeans’ personal data from the EU to the U.S. Intended to allow U.S. companies to self-certify that they would adhere to European data protection regulations including GDPR, Privacy Shield’s fatal flaw was its inability to address U.S. Federal laws that conflict with European privacy standards. Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA), which allows the collection of non-Americans’ personal data, is at the core of the clash largely due to a fundamental difference of opinion about the definition of “surveillance.” The EU posits that surveillance begins at data collection, while the U.S. argues it takes place only once the data is examined.
Inherent in the recent judgment are several challenges for any company with European customers or users.
First, unlike previous rulings, this monumental Privacy Shield decision offers no grace period for making new arrangements to legally transfer personal data in compliance with European privacy standards. Second, companies like Facebook and Microsoft that rely on Standard Contractual Clauses (SCCs) crafted by the European Commission aren’t exempt either. These firms remain subject to case-by-case investigation by EU privacy regulators who may invalidate the clauses, should an organization fail to comply – even if non-compliance is out of their control, as in the case of mass surveillance. Third, while there’s been some discussion of an alternative agreement, resolution may necessitate significant changes to U.S. surveillance laws following an uncertain timeline.
The consequences of a violation are severe. Non-compliance with GDPR results in a fine of up to €20 million (approximately $25.5 million), or 4% of a firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Not exactly pocket change.
So, how do you continue supporting EU users and customers while maintaining European privacy compliance?
Control Where Data is Stored with Nylas EU Data Residency
Privacy Shield’s focus was to facilitate the transfer of personal data out of the EU. Nylas Data Residency is a cost-effective, secure alternative that allows you to store and manage data domestically in the EU while adhering to the stringent European privacy standards.
Nylas offers data residency in the EU, US, and Canada at no additional cost to your platform subscription, giving you and your customers full control over where their data is processed and stored. You can create, configure, and manage separate Nylas accounts for each region you would like to store customer data in to ensure data remains localized and separate from other regions while leveraging the same codebase across all your users’ geographies.
Establishing Data Residency with Nylas is simple. Our Data Residency Developer Guide makes it easy to set up your regional dashboard and API in minutes and means you don’t have to worry about data transfer regulations since your data remains stored domestically.
What does the future hold for European Data Protection?
The road ahead for data protection is uncertain, so we’ve made it our mission to ensure you never have to compromise growth or revenue for security.
When it comes to email, calendar, and contacts data, enterprise-grade security is paramount. Nylas is SOC 2 Certified and our systems are built to adhere to all GDPR, CCPA, HIPAA and FINRA regulations. Our products regularly undergo rigorous third-party audits and penetration tests.
Learn more about how Nylas Data Residency can help you ensure compliance with data privacy regulations in the US and abroad. Speak to a platform specialist now.