Connect with us

Business

What U.S. companies should consider following the bombshell EU Privacy Shield ruling

Published

on

Our mission to help you navigate the new normal is fueled by subscribers. To enjoy unlimited access to our journalism, subscribe today.

If you’re an American company with European users or customers, and you transfer their personal data to the U.S. for company use, you need to be aware of what just went down at the EU’s top court today.

That’s because the Court of Justice (CJEU) just made a huge ruling. The upshot: it’s possible you will no longer be able to serve people in the EU—if not now, then in the not-too-distant future.

You can read our full story on that ruling separately, but here’s a quick run through the implications. And again, those implications could be immediate, depending on your circumstances.

Privacy Shield

U.S. companies using Europeans’ personal data need some sort of legal justification for doing so. That’s because the U.S. lacks an EU-strength federal privacy law (or indeed any comprehensive federal privacy law at all.)

By far the easiest way to keep things legal was to sign up to the so-called Privacy Shield register—essentially, self-certifying that the company will stick to EU rules. This register was created under a trans-Atlantic deal of the same name, struck between the U.S. and EU in 2016.

That deal is now dead. The CJEU on Thursday cancelled it with immediate effect, basically for two reasons: it didn’t stop U.S. intelligence from poking around companies’ data even if they were on the list; and there was no effective way for EU citizens to file a complaint about this in the U.S.

The U.S. Department of Commerce reacted by indicating it would be, in a sense, business as usual. In a statement expressing disappointment with the ruling, the department said it would “continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.”

“Today’s decision does not relieve participating organizations of their Privacy Shield obligations,” it added.

The Europeans beg to differ. To paraphrase Monty Python’s Dead Parrot sketch, Privacy Shield has passed on; it has kicked the bucket; it has shuffled off its mortal coil, run down the curtain and joined the bleeding choir invisible. It is an ex-agreement.

So you can continue to abide by the register’s obligations—essentially, respecting EU privacy law as best you can—but that no longer means your EU-U.S. data transfers are legal in European eyes. Which was the whole point of the register to start with.

(There may still be a legal reason to keep those promises over in the U.S., though. “Companies that have made privacy promises under Privacy Shield could be subject to enforcement for deceptive practices if they do not live up to those privacy promises,” said Peter Swire, a senior counsel at law firm Alston & Bird.)

Eline Chivot, senior policy analyst at the Center for Data Innovation, described the impact well in a statement Thursday: “The decision delivers a severe blow to the operations of over 5,000 European and American companies who use the EU-U.S. Privacy Shield as the legal basis for transatlantic data transfers. It will immediately upend, and in many cases even halt, data transfers between the EU and the United States, leaving many businesses with no suitable alternative.”

Standard contractual clauses

But what if Privacy Shield isn’t your only legal basis for those transfers?

Some U.S. companies such as Facebook (the firm involved in this particular case) and Microsoft have for years also been relying on a mechanism called “standard contractual clauses,” or SCCs. These are, as the name suggests, oven-ready clauses that the European Commission wrote, again outlining a range of rights and responsibilities in line with the EU’s strict GDPR privacy law.

The court did not strike down SCCs, though it had the option to do so.

It said SCCs were fine in general because an EU privacy regulator can still invalidate them on a case-by-case basis if a company is breaking the clauses’ terms or is unable to stick to them—because, say, it can’t stop the intelligence services back home from conducting mass surveillance on the data.

This is where the striking-down of the Privacy Shield becomes a problem for Facebook and any other big American tech company relying on SCCs to send Europeans’ data over to the U.S.

Although the Snowden revelations of 2013 led to some limited reforms in U.S. surveillance law, Section 702 of the Foreign Intelligence Surveillance Act (FISA) still allows for the mass collection of non-Americans’ personal data from Big Tech firms.

Some in the U.S. argue that surveillance only starts when the agencies actually look at the data—which is a more restricted activity. But the Europeans see surveillance as starting at the point of collection. So in European eyes, the U.S. regularly conducts mass surveillance on Europeans’ data—and there’s nothing the U.S. companies handling that data can do about it.

That’s serious enough to have scuppered Privacy Shield (and its predecessor, Safe Harbor) so it is difficult to see how the SCCs used by a company like Facebook can survive if challenged before an EU privacy authority.

“Although the system of standard contractual clauses will remain in principle and the standard contracts concluded will initially remain in force, they will have to be reviewed and, if necessary, suspended by the data protection authorities in the light of the [CJEU] ruling,” wrote former German data protection chief Peter Schaar in a blog post.

So what now?

Of course, not every American company serving Europeans is a Facebook or Google. If you don’t have U.S. agencies scrutinizing your data under Section 702 of FISA—if, for example, you’re an airline or a retailer—then SCCs could still work for you.

The big difference now is that you’ll first have to convince EU privacy regulators that European customers’ data isn’t subject to surveillance in the U.S.

“Data exporters and importers using the standard contract clauses must verify the level of protection in the [country where the data is going] first.  The importer also has a duty to report any issues to the exporter,” said Tony Vitale, a partner at JMW Solicitors, in a statement.

And if your processing of Europeans’ personal data is “necessary” for the fulfillment of your user contracts—if you’re an email provider handling emails, for example—then that’s also automatically kosher under EU law.

“The court explicitly highlighted that the invalidation of the Privacy Shield will not create a ‘legal vacuum’ as crucially necessary data flows can be still undertaken,” said Max Schrems, the litigant who brought the case, said in a statement after the ruling came through.

But an awful lot of U.S. companies, big and small, are still likely to be flailing around now, looking for a legal solution to a problem that abruptly landed in their laps on Thursday morning.

The only reliable, long-term solution would be changes in U.S. privacy and surveillance law. Expect to see Silicon Valley’s lobbying efforts step up on that front very soon.

More must-read international coverage from Fortune:

Continue Reading
Comments

Business

6 Steps to Safely Switch Careers

Published

on

Switching careers is scary, but sometimes it’s the only option for a more authentic life.

Continue Reading

Business

For $30 You Can Learn How to Earn Some Extra Freelance Income

Published

on

As unemployment rises, this guide will help you make money as a freelancer.

Continue Reading

Business

Why BlackLine founder-CEO Therese Tucker—who broke some of tech’s toughest gender barriers—is stepping down

Published

on

One of tech’s most pioneering female founder-CEOs is relinquishing her title.

Therese Tucker, who launched financial software company BlackLine in 2001 and took it public in 2016, is giving up her CEO role in January. When she does, the tech industry—and corporate America in general—will lose one of the very few women who run public companies, let alone ones that they founded.

BlackLine, which makes accounting software used by companies including Coca-Cola and Dow, is projecting annual revenues of more than $335 million in 2020, up more than 16% year over year. The company’s stock price has also more than tripled in the nearly four years since Tucker presided over its IPO—although it is down more than 20% since Aug. 6, when Tucker announced her plans to become executive chair of her company, and to cede her CEO role to president and chief operating officer Marc Huffman.

“I have to acknowledge that, after 19 years, a lot of my identity is wrapped up in this company, and in the [CEO] title,” she tells Fortune. “I’m handing my baby off to somebody who loves that baby. But yeah, I’ll probably freak out at some point.”

That transition has been underway for years. In early 2018, Tucker hired Huffman to be her COO from Oracle’s NetSuite, where he was running global sales and distribution for the cloud-software provider. This February, he took on the additional role of president—after successfully covering for Tucker last summer, when she tested his leadership readiness by taking a six-week sabbatical. (The pink-haired 58-year-old, whom I profiled for Inc. magazine in 2017, used some of her time off to learn to ride a motorcycle.)

Nor is she completely giving up her parenting rights. Tucker will continue focusing on BlackLine’s product and plans to remain executive chair indefinitely. “I think I have a lot of value to add, and I think that as long as I’m excited about where the company’s going, it’ll be fun to stick around,” she says.

In a video interview this week, part of which was joined by Huffman, Tucker told Fortune about how the pandemic affected her succession planning, how BlackLine is responding to the reckoning over racial justice, and how she and Huffman have hammered out their current and future responsibilities. The following Q&A has been condensed and lightly edited for clarity.

Fortune: Therese, when we saw each other last fall, you had just taken a weeks-long vacation, seemingly as a prelude to this transition. So when and how did you start thinking about giving up the CEO role?

Tucker: I’ve been thinking about it for a couple years now. That was the intent of bringing somebody in with Marc’s skills and talent and experience. The next stage of the company is, how do we scale this thing to [revenues of] a billion dollars? And frankly, that’s not my set of skills. I really enjoy the product side a lot more.

Marc took on a lot of the leadership activity necessary during the pandemic—all the communications with employees and management and the executive team, having get-togethers every morning to go through how we handle every situation. Watching him take on all of those leadership challenges, and doing a wonderful job at it, convinced me that it would be good for everybody, including me, to announce that next step.

So come Jan. 1, he gets to be the CEO and I get to give him all the difficult things to do. And I get to go do digital transformation, meeting with customers, stuff like that. I will stay on as executive chair. And my first and primary goal is to make sure that he’s successful. By the time we’re done, it’s going to be the world’s longest transition. But I want it to be very successful, and I want the company to be very successful.

You started BlackLine in 2001 and have been CEO ever since. Any bittersweet feelings about giving up that role?

Tucker: I have to acknowledge that after 19 years, a lot of my identity is wrapped up in this company and in the title. It helps a great deal that I’m not actually leaving. So then, how much of my identity is wrapped up in being the CEO? Probably some. It helps that I’m a big fan of Marc, and I believe that he has fallen in love with the company. So I’m handing my baby off to somebody who loves that baby. But yeah, I’ll probably freak out at some point.

Marc, what do you need to spend the rest of this year doing, to feel even more ready to take over on Jan. 1?

Huffman: A lot of the areas where I seek Therese’s feedback, and have those “phone a friend” moments, are around our product primarily—why things are the way they are and what they mean and how they translate to the customer. So in February, I took on the product and technology organization as a part of a first step promotion, and to really become fluent with our multiyear technology initiatives. But there are still times where I have to call Therese and say, “Okay, now that I’m using these words—what do they really mean? Why is this important to the customer?”

Tucker: I am so pleased that Marc is willing to ask—and I’m sure I go into much greater detail than he wants to hear! But I want him to understand every bit of it. There’s also an important handoff from a market perspective and an investor perspective. Marc’s been taking part in the last couple of quarterly earnings calls and going to the different conferences, or going virtually. How to speak to investors and what the market is expecting is something that you don’t want to do in a quick way; you want to ease into it and get the rhythm of working.

The flip side is that taking over from a CEO who’s remaining as the executive chair can be complicated, even more so when that CEO is the founder of the company. Marc, how are you thinking about when you really need to be the face of the company versus Therese—and, to put it bluntly, can you tell her to back off?

Tucker: He’s done that already!

Huffman: We have a very productive, respectful relationship. We’ve got the support of our board, and each of us has members of the board who guide us. We’ve got a framework in terms of roles and responsibilities, so it’s pretty well thought out and specified. And generally when Therese talks, I try to understand her point of view and she tries to understand mine.

Tucker: Mark and I are aligned on values, we listen to each other, and we both treat each other with a great deal of respect. That lets you get through anything. It’s not about our egos, it’s about what’s best for the company.

As businesses are swept up in the national reckoning over racism, what has BlackLine done to respond to these calls for social justice, both inside and outside your company?

Huffman: BlackLine historically has been pretty apolitical, but we took inventory of our own opinions as a leadership team, and we chose to lean into it. We published a statement, and we began to accelerate a number of initiatives that we had already planned for the year around diversity and inclusion. That included unconscious bias training; we made a multiyear commitment to the NAACP Legal Defense Fund; we accelerated an employee matching program that was focused on a number of these areas; we created management goals to create a fair and just and more diverse workforce; and we’re hiring a diversity and inclusion leader who will report to our chief people officer.

Tucker: As wonderful as BlackLine is, I still think that there’s room for improvement based on some of our employees’ experiences, which is almost certainly going to be true everywhere. We have been doing a lot of listening, and we are making changes to make sure that we get a lot better.

Are you publishing your racial and gender diversity statistics?

Tucker: I don’t think so. I know I was not wildly as happy as I could have been on the gender. It’s tough. Right? Technology and sales—I mean, it’s just hard.

Huffman: We’ve hired an independent third party to come in and assess us as an organization and make recommendations for us. Part of that is to identify our data, identify the proper benchmarks, and then build the plan to get to a better place.

Since my profile of Therese was published in 2017, I’ve had many people tell me what a role model you are to them. Often they’re women in tech. This is not about Marc specifically, but do you have any regrets about the fact that your successor is not going to be a woman?

Tucker: Honestly, not really, because I wanted the best for the company. Somebody with the skills that he has is extraordinarily rare. So I don’t have any regrets about that at all. And a good share of our senior management team is women. We’ve got three women on our board of directors. I think we’ve done a pretty good job there.

Do I wish that there were more women CEOs? Absolutely. There are not a lot of women executive chairs, either, or women who are founders of tech companies that go public. So we still have those things, and there’s still an opportunity to mentor women along the way. In fact, I’m hoping that I’ll have more time to be supportive of other women CEOs.

You once told me, “I’ll be ready to retire once everybody does it my way.” So is that mission accomplished?

Tucker: [Laughs] That is such an arrogant quote. With maybe a few more years of wisdom now, I’ll modify that: They either have to do it my way or convince me that their way is better. And then I’m good.

More on the most powerful women in business from Fortune:

Continue Reading

Trending

Copyright © 2020 Global Biz Feed