The EU Invalidates the Privacy Shield—What Does This Mean for Dashlane?
What happened?
On July 16, 2020, the EU Court of Justice invalidated the “Privacy Shield,” a set of procedures required by law which was until then one of the ways that personal data of EU residents could be sent to jurisdictions whose laws do not provide “adequate protections” for privacy (like the United States). The EU recognizes rights of personal privacy that countries like the US do not, and it requires organizations that receive personal data about EU residents to demonstrate that, even if the laws in their homeland are not sufficiently protective of personal data to meet the EU’s requirements, those organizations will meet them.
EU law provides for several approved “transfer mechanisms” that organizations in the US could use to comply with EU privacy rules. The Privacy Shield was one of the most popular. Organizations would submit an application to the U.S. Department of Commerce specifying that it employed certain technical measures (such as around the security of its systems housing personal data) and procedural ones (to allow it to properly respond to EU individuals’ requests to exercise their privacy rights), and if the application met the standards agreed to by the EU, the organization could legally receive EU personal data.
With the July 16 ruling, all organizations that used the Privacy Shield suddenly found themselves illegally receiving EU personal data. And subsequent guidance from the EU stated there would be no grace period to implement new transfer mechanisms—each entity that previously relied on the Privacy Shield technically had to have a new, approved means of receiving EU personal data in place on July 17.
So what have we done?
Operationally, nothing. Our data architecture, the way we process requests from customers, how we ensure our Services are working properly, and all the other key processes that allow us to run Dashlane remain the same. Since our founding, we have kept all data that users store on our Services in the EU, and only in the EU. It does not matter if you are from Kentucky, Peru, or Germany, your passwords and any other information you keep in Dashlane we keep in the EU. (Ireland, to be precise.)
More importantly, our Zero Knowledge architecture means that we cannot access data users store with us, even when it is on our servers—each user’s data is encrypted with a unique code based on their Master Password, which we do not know. There is no backdoor and no skeleton key. So long as you keep your Master Password secret, we can’t access the data you store on Dashlane. This is the data that really matters, and since it stays in the EU, it is not affected by the Privacy Shield decision.
So, what data does the decision affect? Basically, what we call Registration Data: things like the email you use to sign up for Dashlane, your home address if you provide it in connection with paying for subscription. (Although we use third-party payment processors like Stripe for all payments made through our site, and credit card information goes directly and only to them.) We also keep the most recent IP addresses used to access Dashlane and device IDs (both these and IP addresses count as personal data in the EU), and basic usage information like how often Dashlane is accessed and what features are used. This data is also stored in the EU, but our staff in the US, and certain third-party providers in the US, can access this (and need to in order to provide the Services, deliver customer support, etc.). Detailed information is available in our Privacy Policy. We have strict policies in place that limits who can see what data, all access is audited and recorded, and we are continually evolving our data protection and use policies to make sure that everyone who works for us only has access to the information that they need to do their job.
(Re)-Introducing the Standard Contractual Clauses
Of course, we can’t ignore the fact that the legal scheme we used to send data to the US has been invalidated. Fortunately (if a bit incoherently—more on that below), the decision left the other transfer mechanisms approved by the EU intact. One of these, the “Standard Contractual Clauses” is essentially a binding, non-negotiable addendum to every contract that an importer of EU personal data (like us) has with its customers who provide it with EU data. So we have modified the Data Processing Addendum, which is automatically incorporated into our standard contract with business customers in the EU, to include the Standard Contractual Clauses in lieu of references to the Privacy Shield.
We are not removing the reference to the Privacy Shield in our Privacy Policy—yet. For one thing, even though the EU does not recognize it anymore, it may return in a modified form (the Privacy Shield itself replaced the Safe Harbor scheme, which was invalidated in a similar fashion in 2015). For another, it still reflects the good faith commitment we made to comply with the EU laws, and we remain firmly committed to the principles girding those laws. Dashlane is founded on the idea of giving you control over your data, and the belief that having that control makes for a simpler, safer, more enjoyable digital life. We are 100% in favor of the principles animating the GDPR, the CCPA (in California) and the other, new privacy laws that fundamentally recognize how much control over our digital fingerprints we have ceded to the surveillance mindset.
So about that Surveillance
Surveillance—and the broad rights that the US government has claimed over data within its borders in recent years (think about the NSA recording and storing all cell phone calls, for example, and justifying it on the grounds that there is no access until they actually listen to a call)—is at the heart of the EU High Court’s decision. The Court specifically stated that the Privacy Shield does not adequately protect EU data from the broad access to personal data claimed by US domestic authorities. It is a simple fact that in the last few decades, the United States has steadily weakened core personal rights of privacy, even constitutional ones like the 4th Amendment’s protection against unreasonable search and seizure, in the name of national security.
Europe has sought to differentiate itself from the US along these lines in recent years, and this decision is part of this process. This seems especially clear because the decision only affects the single transfer mechanism that the US government is actively involved in. It is easy to conceive of this as a political signal more than anything else. While the decision strains to suggest that the Standard Contractual Clauses provide ways that the data exporter can be certain that the entity receiving its personal data will be able to comply with the EU laws, the fact remains that the decision explicitly says that the US authorities’ rights to access personal data are too broad to provide these protections. In that case, why should it really matter how the data gets to the US; once it is here, it is subject to the increasingly unfettered reach of the law.
There will surely be additional changes coming in the aftermath of this decision, and many expect the Standard Contractual Clauses to be invalidated at some point. We are actively investigating other ways to ensure ongoing compliance with the EU’s privacy-centered regime should that happen. Ultimately, we believe theirs is the right approach.
Sign up to receive news and updates about Dashlane