Acxiom is one of those American companies that probably knows a lot about you, even if you’ve never heard of it.
The firm is a database marketing company, also known as a data broker—it builds “anonymized” profiles of people and sells them to advertisers, so they can better target their ads.
As such, Acxiom is of intense interest to Europe’s privacy regulators—privacy campaigners in the U.K. filed a complaint in late 2018, alleging that it was breaking the bloc’s tough General Data Protection Regulation (GDPR) by exploiting people’s personal data without their consent.
The company is also one of many to feel the impact of the recent “Schrems II” ruling by the EU’s top court, the Court of Justice. Citing insufficient privacy protections in the U.S, that decision instantly killed the Privacy Shield data-sharing agreement between the U.S. and the EU, while also casting into doubt the viability of another legal mechanism called standard contractual clauses (SCCs), which is widely used by companies from Facebook to Google as a basis for transferring Europeans’ data to U.S. servers.
Fortune had a chat this week with Acxiom’s Jordan Abbott, to discuss the firm’s take on that ruling and EU privacy regulation in general. Abbott has an interesting job title—chief data ethics officer.
Here’s a transcript of that conversation, lightly edited for clarity.
Fortune: What are the implications for businesses of the Schrems II decision?
Abbott: It is Groundhog Day all over again. We went through this with [Privacy Shield predecessor] Safe Harbor in 2015. When Privacy Shield was announced in 2016, my colleagues and I were skeptical about its long-term prospects. We believed at the time that it had the same sort of infirmities that plagued Safe Harbor. And, indeed, I made a prediction that at some point Privacy Shield would be challenged for many of the same reasons that Safe Harbor was challenged.
The immediate impact on businesses as a result of [the ruling] is that companies that were relying on Privacy Shield for data transfers from the EU to the U.S. now have to rely on an alternate mechanism of transfer, such as standard contractual clauses. Most companies don’t have binding corporate rules [or BCRs; a far more expensive, time-consuming legal mechanism for data transfers within multinationals] that have been approved by data protection authorities.
Fortunately for Acxiom, many of our agreements—if not most—had a belt-and-suspenders approach to data transfers, saying that in the event Privacy Shield is invalidated, transfers would rely on standard contractual clauses.
Even then, companies like Acxiom have to do an assessment to determine whether U.S. [legal protections for] transfers of data are essentially equivalent [to EU protections] to protect European citizens and, if there are issues, what sort of supplementary measures can be put in place to create essentially equivalent adequacy—things like encryption. For us, in addition to reviewing our agreements with our clients and our partners, we’re also doubling down on the necessity of data transfers, and data minimization.
So you are now relying on standard contractual clauses …read more