A judgment of the European Court of Justice of 16 July 2020 invalidated the Privacy Shield. It’s a system that regulates data transfer rules from the EU to the US and legalizes their processing in the US. How will this breakthrough affect companies and institutions conducting webinars, online meetings, and video conferences?
As we highlighted in our latest report, the pandemic has triggered an enormously high usage of webinars and video conferencing. For a wide range of companies, schools and universities, healthcare institutions, or NGOs, security aspects started to play a significant role in running online events.
The July judgment of the European Court of Justice also requires us to pay special attention to the security, transfer, and processing of the data of those who take part in these events.
But first, let’s answer these questions:
What is the Privacy Shield?
Privacy Shield is one of the mechanisms sanctioning the transfer of personal data of European Union citizens and persons residing in the EU; it means people whose data are processed based on GDPR principles.
In real life, the Shield enables companies operating within the EU territory, to transfer data (and further processing) of their European clients to the USA. According to Reuters, hundreds of thousands of companies, including technology giants such as Facebook and other industrial key players, send the data across the Atlantic and then keep on processing on the American soil, where the legal regime for data protection is less stringent than in EU countries.
Let’s face it – all the biggest tech companies have their headquarters and business-technological centers in the US.
What led to its end?
The subject of data protection, surveillance, and unethical use of personal data has triggered strong emotion since the world heard about Edward Snowden in 2013. The Cambridge Analytica scandal of 2018, on the other hand, the best-selling author J.K. Rowling described then on Twitter as “story of the decade.”
Another chapter in the history of the fight for data protection is the latest Court of Justice’s judgment, which puts an end to the Privacy Shield. It is the culmination of several years of struggle by Austrian activist Maximilian Schrems. He has been standing against Facebook about the transfer of European data to American state agencies and tried to prove that the Privacy Shield does not give EU citizens a guarantee of protection against such practices. The Court found Schrems to be right, and that means the end of Shield’s era.
What are the consequences of this judgment?
What does the Court’s invalidation of the US-EU Privacy Shield Agreement mean? Both data controllers, processors of personal data entrusted to them, and national data protection authorities must now assess whether the Standard Contractual Clauses can continue to be a mechanism to regulate data transfers across the ocean.
Based on the grounds of the Court’s judgment, we can conclude that the system of safeguards in the Standard Contractual Clauses will need to be supplemented.
Companies that operate in the EU are, of course, obliged to comply with the GDPR. If they transfer their clients’ data to the US and process them there, they must now find a legal basis to do this still. In a situation where the Court has shattered the Shield, these companies must have an alternative basis for legalizing the handling of this data.
However, it may turn out that an EU or national institution which handles data protection, may find such a premise insufficient.
What does this mean in the long run?
Both companies that use other companies operating in the US to provide their services and those with their data processing infrastructure will face the risk of high penalties imposed by the data protection authorities. It will happen if the authority considers that the grounds used to legitimize data transfer and processing are inappropriate or invalidated. Therefore, these companies will look for alternative solutions to avoid the risk of data transfer and processing in the US, including no data transfer to the US at all – claims Łukasz Kołodziejczyk, Data Protection Officer at ClickMeeting.
Webinars and video conferences in the no-Shield reality
This radical legal change has an enormous impact on the tech industry, which operates in a SaaS model (Software as a Service), where vendors handle their customers’ data and base their operations on extensive server infrastructures.
It’s no different when it comes to platforms used to organizing and running webinars, online meetings, or video conferences.
Why is it so vital? Because the pandemic outbreak caused, that those tools have become fundamental in remote communication between teachers and lecturers with students, trainers with trainees, managers with employees, vendors with customers or investors, etc. Therefore, taking good care of the data security of all participants of that online communication is one of the top priorities.
Webinar and video conferencing vendors from the US dominate the market. It means that their servers are located on American territory. And it boils down to the fact that they send their European customers’ data right there, outside the GDPR jurisdiction.
On the one hand, U.S. law does not provide the necessary limitations and safeguards for domestically permitted interference with the right to privacy and the right to protection of personal data. On the other hand, it does not provide adequate judicial protection against such interference. EU citizens do not have access to the same legal remedies that U.S. citizens can use to defend themselves against the processing of personal data by the U.S. authorities. In some cases, they do not even have such powers at all. This is the basis for the reservations regarding the transfer of data from the Union to the U.S. – claims Karolina Nazarewicz, Manager of the Legal Department at ClickMeeting.
The solution? Data processing and servers in Europe
If we have a responsible approach towards data security, then the most reliable and easiest way will be NOT using webinar and online meeting platforms from outside Europe and who process data on servers located outside European Economic Area.
ClickMeeting, as a Polish webinar platform, acting in accordance with the GDPR rules, comes up here as a natural solution.
Both the data that our clients entrust us with the processing, as well as the application servers used to store data, and thus the clients’ data in the application, are processed in the European Economic Area, namely in Germany and France – points out Łukasz Kołodziejczyk.
Moreover, the Court’s judgment concerning the Privacy Shield caused dissatisfaction on the other side of the Atlantic and a discord in the US-UE relations. All the more so, the use of a European provider means that organizers of online events do not have to be nervous about political reshuffling and decisions on data transfer and transatlantic processing.
Running webinars and video conferencing on ClickMeeting, companies, schools, universities, and any other institutions have a guarantee of:
Security standards of personal data processing, meaning compliance with the GDPR rules;
Legal protection against surveillance by state authorities;
Availability of adequate legal remedies provided by EU rules and regulators in case of a personal data breach.
Other security measures for online events
Apart from crucial data protection, there are also other aspects when it comes to running safe and sound online events. As we underlined in the Webinars and video conferencing in times of the pandemic report, as much as 51% of the survey respondents are in favor of securing webinars and online meetings with a password or a unique token.
ClickMeeting platform delivers both ways:
It’s an easy an effective way to secure online events from disturbing incidents, called “zoomboming” (the term refers to trolls hacking video calls and online conferences and disrupt them by broadcasting disturbing content).
Green light to data protection and secure online events
Luckily, shattering the Privacy Shield doesn’t mean an earthquake for your webinar and online meeting activities.
All you need is a webinar platform that operates entirely on servers and data processing within the EU and follows strict GDPR rules. It’s how it works in ClickMeeting! Don’t hesitate to switch to secure online events – try our platform for 30 days! For free!