If you follow data privacy news, you may have heard that the EU-US Privacy Shield was invalidated recently, and as a Tucows reseller, you might be wondering how that affects our services. TL;DR: It doesn’t.
We’ll get into the details of Privacy Shield, what it was used for, and what happens now that it’s been invalidated, but essentially, it let U.S.-based businesses lawfully transfer the personal data of EU individuals to the US by signing on to a series of privacy and data protection commitments.
Now that the EU-US Privacy Shield is no longer an option, companies transferring data will have to look into the other possibilities remaining to them under the GDPR. This is something you may already be looking at for your own business; for your Tucows domain reseller services, we’ve got it covered.
What does the GDPR say about cross-border data transfer?
When we think about the GDPR and other data privacy laws, we tend to think they restrict or entirely prevent the use of personal data in the name of privacy. That’s not entirely incorrect—a big part of protecting personal data is limiting its use—but it’s also not the whole story. Another aim of the GDPR is to allow or even enable the transfer of personal data, as long as the data remains protected. When the data remains within the EU, it stays under the direct purview of the GDPR, and so ensuring that it remains protected is fairly straightforward, since the same rules apply both before and after the transfer. But what about when sending data out of the EU?
The GDPR offers three basic options for how to transfer data to a “third country” outside the EU.
Option 1: an “adequacy decision”
The European Commission can review a country’s data protection laws and determine that they offer an adequate level of protection for personal data. The Commission maintains a list of countries with adequacy status; Canada is included, but only for data protected under Canadian privacy law (which does not cover personal data being processed by the government! Oh, Canada—room for improvement!)
Option 2: appropriate safeguards
The second option for transferring data is referred to as “appropriate safeguards,” which includes the Standard Contractual Clauses, a pre-approved contract provided by the European Commission which can be appended to any agreement.
Option 3: derogations
Derogations are exceptions for certain circumstances, which should only be used rarely and as a last resort.
What was the EU-US Privacy Shield? What happened to it?
The EU-US Privacy Shield was a special type of adequacy decision, a framework set up by the European Commission and the US Department of Commerce which US-based businesses could commit to follow. It provided assurances related to data protection and data subject rights that are similar to what we are familiar with from the GDPR; once a business signed on to those commitments, they became legally binding and enforceable. These commitments included:
- providing transparent information to individuals about rights related to their data
- providing dispute resolution for individuals who brought complaints related to how their data is handled
- meeting purpose limitation and data retention obligations and requirements around accountability
Now that the EU-US Privacy Shield has been invalidated, businesses can no longer rely on it as an adequacy decision. Instead, any transfer of data from the EU into the US needs to be protected by some other method—either appropriate safeguards or derogations. We know that derogations are limited, generally to be used for one-time transfers or exceptional circumstances.
So where does that leave businesses who need to transfer data, including domain providers? They will have to add the proper assurances into their contracts, typically by use of standard contractual clauses—which is what we have done since 2018.
How does Tucows handle cross-border data transfer without the Privacy Shield?
Lucky for us, it’s not a problem. We don’t have to make any changes to how we protect data when transferring it to the US because we don’t rely on the EU-US Privacy Shield framework.
The Privacy Shield framework was only available to American companies, which right away excludes two of Tucows’ main domain businesses. Enom is American, but Tucows (OpenSRS) is a Canadian company, and Ascio is European. Enom could have signed on to the Privacy Shield framework, but we wanted a single approach to apply to all our businesses.
When we built out our processes for GDPR compliance, we adopted Standard Contractual Clauses provided by the European Commission to govern how we protect personal data.
The Standard Contractual Clauses have been incorporated into our contracts with our resellers, vendors, and other service providers via a Data Processing Addendum. This means that when domain registration data is sent to registries or data centers in the US these contractual commitments can be relied on to govern how the data is handled and to ensure that each data subject’s rights are always respected. Specifically, through the Data Processing Addendum, we commit to complying with GDPR obligations, including confidentiality and information security controls, cooperation with supervisory authorities, and appointing a Data Protection Officer. The Addendum also documents our obligations related to ongoing testing and review of security measures, the reasons we process data, and what third-party providers we work with. We closely watch for any updates to the Standard Contractual Clauses, as we want to remain current with any standards provided by the European Commission.
What do I need to do as a reseller?
For the data processed related to our services, absolutely nothing! You’ve already accepted our Master Services Agreement, so it’s all handled. If you want to learn more, though, you can look for yourself to see the Standard Contractual Clauses in our Data Processing Addendum (which is incorporated into our Master Services Agreement by reference), and you can compare them to the version published by the Commission.
You can also consult your own data protection counsel. This blog post is intended to be helpful and to share with you how we view data protection at Tucows, but it is not intended as legal advice and should not be seen as a replacement for independent legal counsel.