Why you shouldn’t count on the ADPPA and Privacy Shield 2.0

The backstory

By now, we’re all familiar with the European Union’s General Data Protection Regulation (GDPR). You also probably know that the United States doesn’t have a federal data privacy law that’s anywhere near as comprehensive as GDPR.

And, we’re all aware that we live and work in a global community. People and companies in the EU do business with people and companies in the U.S. all the time. So, U.S. organizations handling the data of EU citizens need to be GDPR compliant, and EU companies need U.S.-based partners to be compliant as well. Everyone who handles personal data needs to make sure they are in full respect with GDPR.

But we’ve got to go back to the early days of GDPR to understand where we are now.

The EU-US Privacy Shield saga

Before GDPR, there was an international agreement known as the Safe Harbor Privacy Principles, which provided guidelines for storing and protecting personal data transmitted across the Atlantic between Europe and the United States.

However, after GDPR was drafted, it became clear this Safe Harbor agreement wouldn’t be enough, and the European Court of Justice (ECJ) invalidated it in 2015. The EU-US Privacy Shield was the legal framework that took its place.

Everything seemed just fine for a little while. That is until an Austrian data privacy activist named Maximillian Schrems shook things up.

Calling out big tech companies for insufficient data privacy protection is sort of Max Schrems's thing. In college, he wrote a term paper about Facebook’s lack of knowledge on European privacy laws. Later, he filed a complaint against Facebook with the Irish Data Protection Commissioner (this case is known as Schrems I).

Max Schrems, lawyer and privacy advocate

After GDPR became law in May 2018, Max Schrems filed complaints against Google, Facebook, Amazon, Netflix, Spotify, YouTube, and other companies claiming violations of the regulation. This is known as Schrems II, which the Irish High Court referred to the Court of Justice of the European Union (CJEU).

Ultimately, the CJEU invalidated Privacy Shield in 2020 as a result of Schrems II, calling the framework an inadequate protection agreement between the U.S. and EU as it relates to GDPR. The biggest issue with Privacy Shield is that it allows companies to share EU citizens’ personal data with U.S. intelligence agencies – without any adequate protection for that data.

More specifically, U.S. surveillance laws (FISA, CLOUD Act) do not have any adequate protection for non-U.S. citizens. So, people in the EU are unable to find out if law enforcement or intelligence agencies are viewing their personal data or why they need it – and they do not have legal standing to challenge the surveillance requests. Plus, many U.S. companies are unable to deny requests from those agencies to access EU citizen data.

Beyond that fact, Privacy Shield was never a very solid solution for guaranteeing GDPR compliance in the first place. For one thing, it involved a self-certification process. Essentially, all that a company needed to do was fill out an online application with basic information and a few paragraphs from their privacy policy, and they were deemed certified under the Privacy Shield framework. There were no real checks or audits in place that proved actual GDPR compliance.

The Schrems II fallout

Following the invalidation of Privacy Shield, big tech companies came under fire for using the framework as a mechanism for certifying protection of data transmitted from the EU. For example, Google is Privacy Shield certified. But earlier this year, a privacy watchdog in France ruled that Google Analytics breaches GDPR. Denmark also recently banned Gmail, Google Workspace, and Chromebooks in schools for the same reason, making it the fourth EU nation to do so.

Of course, it’s not just Google or the GAFA. Between January 2021 and 2022, GDPR fines increased sevenfold, totaling around $1.2 billion. But let’s be clear...

In the meantime, the U.S. government and the EU worked on a new framework, which has been informally called Privacy Shield 2.0. However, the current Privacy Shield framework remains in place even though the Privacy Shield FAQs admit that the CJEU ruled the agreement inadequate. The U.S. government says companies aren’t relieved of their obligation because of the EU’s invalidation.

That leads us to where we are today...

The current situation

One thing that almost everyone involved agrees upon is that it would be a lot easier to get a handle on data privacy protection in a global environment if there were more standardized rules. A major issue in the U.S, for example, is that there’s no federal data privacy law.

Instead, individual states have or are drafting their own local legislation. The most prominent of these is the California Consumer Privacy Act (CCPA), which mirrors GDPR in many ways.

There have been attempts to get a federal law off the ground in the past. But now, it finally seems like a piece of legislation is gaining momentum. The American Data Privacy Protection Act (ADPPA) passed a House committee with a largely bipartisan 53-2 vote. But all that means is lawmakers have decided it’s worth voting on. There’s a long way to go before this would become official. The bill still has to get through a full vote in the House where it could go to the Senate and eventually be signed into law.

Simultaneously, the EU and the U.S. have tentatively agreed to a new legal mechanism officially known as the Trans-Atlantic Data Privacy Framework (aka Privacy Shield 2.0). It builds upon the EU-US Privacy Shield framework with added assurances regarding U.S. intelligence access and protections to EU data.

However, it will still be a self-certification process. And that’s no guarantee of protection against legal trouble. For example, a Federal Trade Commission (FTC) lawsuit alleges that, when self-certifying on the Privacy Shield website, Twitter misrepresented itself as in compliance with the agreement.

We have yet to see a draft of the new proposed framework but expect it to be in line with the ADPPA. Until we have more certainty or concrete language, the Trans-Atlantic Data Privacy Framework is just a “handshake”-type agreement between the EU Commission and U.S. government.

What it means for senders

The White House Fact Sheet on the new framework states:

So, this is a pretty big deal. There’s lots of money involved, without a doubt.

Any organization collecting or processing email addresses of EU citizens needs to consider GDPR compliance, including how that data is transmitted, where it is stored, how it’s protected, and who can access it.

There are some tech companies out there telling people that, with a Privacy Shield 2.0 agreement and the ADPPA on the way, senders have nothing to worry about. But that’s simply not true. As we can see with Twitter, getting “certified” under such a framework doesn’t mean much when you do it yourself. And those companies still have not proven how they protect EU personal data.

The Trans-Atlantic Data Privacy Framework will be helpful, of course, because it’s a global solution that addresses concerns about U.S. surveillance. Still, companies on both sides of the ocean must take responsibility for full GDPR compliance.

Here’s the other thing...

Who knows how long it will take for the ADPPA to become law (assuming it actually does) or for the Privacy Shield 2.0 agreement to be finalized?

Even though the ADPPA bill is considered bipartisan, the U.S. Congress isn’t known for being fast and efficient. After all, there are mid-term elections for lawmakers to worry about in 2022. You can also expect that big-tech lobbyists will be trying to influence the details of the bill as it moves through the legislative process.

Another potential roadblock is that ADPPA will preempt existing state laws on data privacy. Privacy advocates in states like California aren’t happy about that idea. So, lawmakers representing states with laws that are stricter than ADPPA may push back.

Plus, even if the bill gets signed by the end of 2022, it will still take time to be enacted. In an interview on TheMarkUp.org, former U.S. commerce secretary, Cameron Kerry, confirmed that companies would have two years to get in compliance with ADPPA. That means, the soonest the U.S. can expect a federal data privacy law to take any effect is in 2025.

Who knows whether the Trans-Atlantic Data Privacy Framework will hold up to scrutiny? Everyone obviously assumed the previous frameworks were good enough... until they weren’t.

Could Schrems III be on the way? Earlier this year, the activist released a statement indicating he wasn’t very impressed with the new framework.

You can’t rely on hopes and expectations. But you can find reliable companies to work with and help you out.

Who can you trust?

As we mentioned previously, without a Privacy Shield alternative in place, businesses in the EU and U.S. are using SCCs to outline GDPR compliance in terms of data transfers across the Atlantic. But that’s not all that’s required.

What you really need is a full compliancy program, which would include supplemental measures that the European Data Protection Board (EDPB) has adopted. These are connected to Article 46 of GDPR.

1. Exporters of data must map all transfers to other countries.

2. Tools used to transfer data must be verified as adequate.

3. Data exporters must assess whether there are laws in third-party countries that may impinge the safeguarding of EU citizen data.

4. Put measures in place to increase the level of protection if there are laws that impinge upon GDPR standards.

5. Take formal procedural steps to adopt any necessary supplementary measures.

6. Re-evaluate the protection of data through third parties at regular intervals.

So, what are some examples of “supplementary measures”? They could include an internal risk-based analysis to assess the effectiveness of the SCC. Data processors in the U.S. could also put in place limitations on who is allowed to access EU citizen data. Effective forms of data encryption and other organizational security measures are additional examples.

Here’s what it all boils down to:

• EU data controllers must find U.S. data processors that have measures in place for GDPR compliance.

• U.S. data controllers with EU customers (or subscribers) must have adequate data transfer tools to protect privacy.

• U.S. data processors working with EU companies must take responsibility for GDPR compliance, including safeguarding data transfers from Europe.

The bottom line is that no company should be counting on a new legal framework built on self-certification, and no one should expect the ADPPA to solve all their data privacy problems either.

Mailgun’s approach to compliance

This company takes GDPR compliance very seriously. Our sister brand, Sinch Mailjet, was the very first company in the world to achieve an AFNOR certification for GDPR.

Sinch Mailgun is based in the U.S., but we have data centers located in the European Union, which offers us a nice advantage.

For example, a company that only has data centers in the states would be forced to comply with requests from U.S. intelligence or law enforcement to access EU citizen data and may not be able to deny access. They’ll need to provide access because it’s the law and they would not have a legal ground to defend against granting access. But those vendors may not want you to worry about that. So, they’ll try to ease your concerns by saying the ADPPA and Privacy Shield 2.0 will fix everything. (Sorry. That is incorrect. But thanks for playing!)

However, since Mailgun has data centers in the EU, we can protect that data from unwanted access that would violate GDPR. In fact, Mailgun is able to offer our customers plans in which data is hosted exclusively in the EU (or in the U.S., if preferred).

On top of that, we follow the data minimization principle, where only limited and need based roles are granted access to customer data.

To prove our commitment to GDPR compliance, Mailgun has obtained third-party certifications (ISO 27701) and undergoes SOC 2 Type II audits yearly. Both include GDPR-specific controls as part of the evaluation. You can find out more about these measures in Mailgun’s security portal.

At Mailgun, we don’t wait for legislation or frameworks. We strive to be one step ahead of the curve regarding data protection. Our stance is to anticipate changes to data privacy protection and regulations rather than react to them.

If you ever have questions about security and compliance, we’re always ready to provide answers. And as Mailgun’s Data Privacy Officer (DPO), you just might hear back from me.