Perhaps a story involving a privacy trade war, metaphorical ‘shields’ and Donald Trump doesn’t naturally shift your attention to the European events industry. Let’s face it, 2020 is giving us plenty of other matters to worry about.
Still, it’s not every day that a “bold move” from the EU’s top court has a direct impact on attendees and their personal data.
On July 16, the European Court of Justice (ECJ) moved to invalidate the EU-US Privacy Shield: an agreement allowing US companies to transfer and store information from countries belonging to the European Union.
The action has wide-ranging implications, but EventsCase is particularly interested in what it says about the safety of your event data. Without an agreement to protect what you gather, you could be at a greater risk of data breaches, leading to fines, a loss of information, and huge reputational damage. Allow us to explain in more detail.
Table of Contents
What is the EU-US Privacy Shield?
The EU-US Privacy Shield system underpins transatlantic digital trade for thousands of companies. It’s one of the major agreements that sit outside of the General Data Protection Regulation (GDPR), ensuring the safe flow of data from the EU to non-EU countries.
Any US company signing up to the Shield must cooperate with data protection regulators due to certain assurances given by the framework regarding the safety of information. Until recently, it’s provided peace of mind to European-based companies that host data in the US.
Some have no idea their information travels this far. Indeed, the most common scenario in an events context would be the use of technology to manage registrations, check-in and create mobile apps, with all data making its way across to a US server.
Don’t forget, the platform itself could be ‘global’, and not all organisers realise where their attendee information ends up. Judging by our investigations and knowledge of the event tech market, this is fairly common.
‘Privacy Shields’ play a key role in policing the use of your data, until they themselves are brought to question.
Enter Max Schrems, an Austrian privacy advocate, who in 2018 challenged the agreement in the ECJ. He argued that US national security laws failed to adequately protect EU citizens from acts of “snooping”. After two years of deliberation, he won.
The court ruled in favour of Schrems and his case, therefore making the Shield invalid.
How does this affect my event?
Further invalidation of mechanisms like the Privacy Shield could see the end of a truly borderless internet. More pertinently, though, the ECJ has essentially spelt out the risk associated with housing information in the US.
It’s official: you cannot guarantee that someone isn’t trawling through your attendee data.
Politico reports that some companies have already ceased the movement of their information and are now keeping it within the EU. Others are seeking Standard Contractual Clauses (SCCs), which are individual and made between two organisations. However, it’s now thought that last week’s decision may see the end of these as well.
All signs point towards a reform of US surveillance practices to fit in line with EU laws. Analysts have long complained about the lack of protection being offered to companies that pass data into the States. Yet, considering President Trump’s previous conflicts with GDPR and his frosty relationship with the EU, we’d be surprised if this were made a priority.
What should I do about it?
Anyone using a technology for their registration, check-in and event management should now be asking where their data is positioned. Our investigations show several big names in the event tech landscape housing information on US servers, which could leave it vulnerable to surveillance.
One safeguarding measure would be to seek a clause in your contract that specifies where your data is stored. If your provider does not wish to include this, you could be risking a financial penalty from watchdogs like the Information Commissioner’s Office and a severe blow to your reputation.
These issues aside, there is definitely something to be taken from the sheer confusion surrounding the next possible steps.
Companies applying SCCs as a short-term measure have no idea if they will soon be deemed unfit for purpose. Transfers of data between the EU and US are not expected to stop, chiefly because companies are awaiting a more detailed response from the European Commission and UK Information Commissioner.
Our advice would be to err on the side of caution and keep your data away from the US, at least until you can be sure of its protection.
Attendees impart a wealth of personally identifiable information from the moment they register for a ticket. Companies like Yahoo and Equifax are still recovering from their respective customer data breaches, where millions of records found their way into the wrong hands. In a world where online privacy is at the top of consumer consciousness, you want to avoid being implicated in any potential leak.
News of the Shield’s collapse might seem like the last thing our industry needs right now. But as data becomes all the more vital to our operations, allowing for the creation of personalised experiences, the current period of downtime could be ideal for patching some of the chinks in our armour.
If you’d like to discuss how we’re supporting our customers with advanced data protection, feel free to get in touch.