On July 16, 2020, the EU Court of Justice invalidated the “Privacy Shield,” a set of procedures required by law which was until then one of the ways that personal data of EU residents could be sent to jurisdictions whose laws do not provide “adequate protections” for privacy (like the United States). The EU recognizes rights of personal privacy that countries like the US do not, and it requires organizations that receive personal data about EU residents to demonstrate that, even if the laws in their homeland are not sufficiently protective of personal data to meet the EU’s requirements, those organizations will meet them.
EU law provides for several approved “transfer mechanisms” that organizations in the US could use to comply with EU privacy rules. The Privacy Shield was one of the most popular. Organizations would submit an application to the U.S. Department of Commerce specifying that it employed certain technical measures (such as around the security of its systems housing personal data) and procedural ones (to allow it to properly respond to EU individuals’ requests to exercise their privacy rights), and if the application met the standards agreed to by the EU, the organization could legally receive EU personal data.
With the July 16 ruling, all organizations that used the Privacy Shield suddenly found themselves illegally receiving EU personal data. And subsequent guidance from the EU stated there would be no grace period to implement new transfer mechanisms—each entity that previously relied on the Privacy Shield technically had to have a new, approved means of receiving EU personal data in place on July 17.
So what have we done?
Operationally, nothing. Our data architecture, the way we process requests from customers, how we ensure our Services are working properly, and all the other key processes that allow us to run Dashlane remain the same. Since our founding, we have kept all data that users store on our Services in the EU, and only in the EU. It does not matter if you are from Kentucky, Peru, or Germany, your passwords and any other information you keep in Dashlane we keep in the EU. (Ireland, to be precise.)
More importantly, our Zero Knowledge architecture means that we cannot access data users store with us, even when it is on our servers—each user’s data is encrypted with a unique code based on their Master Password, which we do not know. There is no backdoor and no skeleton key. So long as you keep your Master Password secret, we can’t access the data you store on Dashlane. This is the data that really matters, and since it stays in the EU, it is not affected by the Privacy Shield decision.
(Re)-Introducing the Standard Contractual Clauses
Of course, we can’t ignore the fact that the legal scheme we used to send data to the US has been invalidated. Fortunately (if a bit incoherently—more on that below), the decision left the other transfer mechanisms approved by the EU intact. One of these, the “Standard Contractual Clauses” is essentially a binding, non-negotiable addendum to every contract that an importer of EU personal data (like us) has with its customers who provide it with EU data. So we have modified the Data Processing Addendum, which is automatically incorporated into our standard contract with business customers in the EU, to include the Standard Contractual Clauses in lieu of references to the Privacy Shield.
So about that Surveillance
Surveillance—and the broad rights that the US government has claimed over data within its borders in recent years (think about the NSA recording and storing all cell phone calls, for example, and justifying it on the grounds that there is no access until they actually listen to a call)—is at the heart of the EU High Court’s decision. The Court specifically stated that the Privacy Shield does not adequately protect EU data from the broad access to personal data claimed by US domestic authorities. It is a simple fact that in the last few decades, the United States has steadily weakened core personal rights of privacy, even constitutional ones like the 4th Amendment’s protection against unreasonable search and seizure, in the name of national security.
Europe has sought to differentiate itself from the US along these lines in recent years, and this decision is part of this process. This seems especially clear because the decision only affects the single transfer mechanism that the US government is actively involved in. It is easy to conceive of this as a political signal more than anything else. While the decision strains to suggest that the Standard Contractual Clauses provide ways that the data exporter can be certain that the entity receiving its personal data will be able to comply with the EU laws, the fact remains that the decision explicitly says that the US authorities’ rights to access personal data are too broad to provide these protections. In that case, why should it really matter how the data gets to the US; once it is here, it is subject to the increasingly unfettered reach of the law.
There will surely be additional changes coming in the aftermath of this decision, and many expect the Standard Contractual Clauses to be invalidated at some point. We are actively investigating other ways to ensure ongoing compliance with the EU’s privacy-centered regime should that happen. Ultimately, we believe theirs is the right approach.