Transatlantic Data Transfers: Don’t Let It Sink Your Business

Handling personal data is a risky business. Personal data transfers outside of the European Union is even riskier. You could suddenly find yourself in court defending against allegations of privacy invasion. Even if you hadn’t intentionally done anything wrong.

Lawmakers are continually testing, challenging and updating privacy laws. As terabytes of personal information flies back and forth between businesses and individuals. Countries like United Kingdom and European Union has established quite robust privacy laws. For most organizations operating in these countries there isn’t a problem. There are already highly secure and trusted storing and transferring mechanisms in place.

Unfortunately, European regulators don’t have as much faith in most countries outside the EU. Not even in the United States. This came to light in a convoluted court case known as ‘Schrems II’ concerning personal information used by Facebook. As a result, companies are struggling to make sure they are compliant in the wake of the 2020 court finding. We’ll talk more about the implications of the Schrems II case in a moment. First let’s clarify how privacy laws are usually affecting people and organizations.

Mechanisms protecting personal data

Any information held on record that identifies an individual is personal data and must be protected. The information could be just names and contact details of customers, employees and suppliers. On a deeper level these data can include private information such as genetic, biometric and health data. Moreover information revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.

Privacy laws are in place to protect exactly this type of information. They requiring users of the data to have secure physical and digital mechanisms in place. In cases such as to prevent discrimination and invasion of privacy. The laws also ensure that individuals give informed consent before disclosing personal information to an organization. Therefore they must also be clear about the usage and storage of the information. As well as informing individual users of the legal action they can take if their personal information has been abused.

What’s the problem with US privacy mechanisms?

Most European countries, including the UK, follow the same transfer mechanism. It is outlined in the European Union’s General Data Protection Regulation (GDPR). The latest legislation to impact data transfer between Europe and the United States is the European Court of Justice’s decision in July, 2020 in the ‘Schrems II’ case.

The new ruling stems from a case originally launched by activist Maximilian ‘Schrems’. He called for the Irish Data Protection Commissioner to invalidate Facebook’s standard contractual clauses (SCC). They used such clauses for transferring personal data out of Ireland to its headquarters in the US.

The UK and EU privacy regulations prohibit transfers of personal data outside of the EU. Well unless the destination country can assure an adequate level of protection. From the year 2000 to 2015, the Safe Harbor program was a safeguard. However in October 2015 “Schrems I” case had invalidated it. A few months later in July 2016, the European court approved the EU-U.S. Privacy Shield program. Which is administered by the US Department of Commerce’s International Trade Administration so that US-based organizations can meet the EU requirements for transferring personal data to third countries.

However, in the latest Schrems case, Maximilian Schrems pointed out that the personal data could be accessed by US intelligence agencies while the information was in transit and when stored in the US, which would violate the GDPR and EU law.

The court ruled in Schrems’ favour, effectively invalidating Privacy Shield as a data protection mechanism between the EU and the US.

3 EU Privacy Protection Demands

Whatever legislation replaces Privacy Shield, if any, EU regulators want to ensure the following basic protections for personal data transfer:

  1. Ensure that personal data will be protected to a European standard when it gets to its destination outside of Europe.
  2. Prevent companies based in European countries from circumventing EU privacy laws by transferring data overseas.
  3. Europeans can exercise their privacy rights and remedies against foreign companies that process their personal data.

Alternative Data Protection Solutions

Although the US is off the list with countries with adequate privacy mechanism in place, there are a few other options. For multinational corporations sending data between locations in different countries to take advantage of exceptions or ‘derogations’ to the rules when certain conditions are met. Here are four examples:

Although the US is off the list with countries with adequate privacy mechanism in place

  1. Recurring Data Transfers
  2. Binding Corporate Rules
  3. Standard Contractual Clauses
  4. One-off Transfers

Recurring Data Transfers

The European Commission regularly reviews data protection mechanisms in place in jurisdictions within and outside the EU and make ‘adequacy decisions’ based on the data protection laws and their enforcement in those jurisdictions.

If they find that there is an adequate level of protection of personal data in place then they allow free flow of data transfers (recurring transfers) between those countries, which are currently only a handful outside the EU. They are: Argentina, Canada, Israel, Japan, New Zealand and Uruguay. Switzerland, the Channel Islands, and Andorra are also on the approved list. Even though they are not EU members, they do have almost identical privacy laws to the EU.

Binding Corporate Rules

Binding Corporate Rules (BCRs) are highly complex and expensive to implement. They are only used by a handful of large multinationals with ample resources.

Standard Contractual Clauses

Standard Contractual Clauses (SCCs) is a more common mechanism. Organizations are using it to guarantee protection of individual rights when transferring data out of the EU. They are fixed, and non-negotiable contract clauses issued by the EC which can be signed between data exporters in Europe and data importers outside the EU.

One-off Transfers

As an example.. Health emergency cases involving someone who have to be hospitalized abroad. In this case there is necessary and urgent need to transfer their medical records from their home country to a foreign hospital or doctor. In special cases like this one-off transfers are an option.

Schrems II Verdict Makes Waves of Uncertainty

Following the Schrems II decision, organizations using the Privacy Shield framework are facing a Hobson’s choice. They either had to stop transferring data between Europe and the United States or implement SCCs in place of the now defunct Privacy Shield. However, the court ruled that organizations relying on standard contractual clauses for data transfers would still have to assess whether the contracts provide adequate protection, and possibly put other safeguards in place.

So the Schrems II ruling isn’t clear cut, but rather seems to be quite open to interpretation. Creating grey areas when it comes to deciding exactly what to do or how to ensure privacy is maintained.

European privacy regulators haven’t provided clear guidance or recommendations other than suggesting that data be encrypted to render it totally unreadable to anyone outside Europe or stating that data transfers to the US are just no longer permitted… Far from helpful.

What Action Can You Take?

Of course, if your organization relies on such data transfers, simply halting them is probably out of the question but at the same time you don’t want to break any laws.

With the goalposts moved, companies are facing a greater risk of prosecution. Even if they are already doing their best to protect data… They are now burdened with having to do more paperwork when transferring data to the United States.

First you should review intra-group and third-party data flows. Then establish which mechanisms apply to data transfers outside Europe. And then whether you need further safeguards. Additional safeguards might include bolstering encryption protocols or perhaps relocating encryption keys to a location in Europe.

As European residents have the right to know how and where their personal information is being used and can demand compensation for privacy infringements. It may be wise to set up transparency reports to demonstrate the frequently with which government bodies ask for such data. Meanwhile, how regulators will ultimately interpret the Schrems II ruling remains to be seen. It’s difficult to speculate as so far there haven’t been any cases to test the waters. Stay tuned and we’ll keep you updated.

Intelimasters is a background screening agency, not a law firm. This article is for informational purposes only. Nothing in it should be considered as legal advice. We encourage you to consult with legal counsel regarding your specific business and/or individual needs.


Comments are closed.