With confidential data theft on the rise (everything from the Colonial Pipeline to your local hospital), enterprises are in a bind when it comes to protecting their data. But security concerns aren't the only thing causing enterprises headaches. Following changes to European data regulations, many enterprises are uncertain on exactly how to manage, treat, store, and most importantly, protect confidential data of European Union citizens and entities, whether they be individuals or multinational corporations.
Until fairly recently, businesses that shared, stored, processed, or possessed client data were covered by the terms of the
Privacy Shield, a framework developed by the U.S. Department of Commerce in consultation with the European Commission, Swiss Government, and stakeholders. Privacy Shield’s goal was “to provide companies on both sides of the Atlantic with a valid legal mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the United States in support of transatlantic commerce.” It required participating entities to self-certify to the Department of Commerce and publicly commit to comply with the Privacy Shield Principles, including the Supplemental Principles requirements. While joining Privacy Shield is voluntary, once an eligible company makes the public commitment to comply with the requirements, the commitment was intended to be enforceable under U.S. law.
However, the Privacy Shield program was invalidated last July by the Court of Justice of the European Union (the highest court in the EU), as the court claimed Privacy Shield didn't offer sufficient protection. With this ruling, entities are left nothing short of baffled on how best to manage personal data belonging to entities or individuals (for more information on the ruling, read
this article). While Privacy Shield has been invalidated, the court’s decision “does not relieve participants already committed to the EU-U.S. Privacy Shield of their obligations under the existing framework.” The platform has been invalidated, but the terms still apply? Yes.
The European Data Protection Board (EDPB) has adopted guidance (note, guidance is not the same as law — to quote the pirates' code in
the movie Pirates of The Caribbean, “the code is more ... guidelines than actual rules.”) to address some frequently asked questions, but the uncertainty continues. Specifically, participants from the EU want the standards to be stricter than those that currently exist in the U.S. As a quick refresher, aside from some specific vertical areas of interest (for example, HIPAA), there is no U.S. federal privacy law. California has enacted the first, and other states find themselves in various stages of implementation. However, without an enforceable federal privacy standard, companies that do business in Europe find themselves in an uncomfortable and uncertain state of limbo, as they try to keep from violating rules that are — at best — a moving target.
Very specifically and critically, the Securities and Exchange Commission has received filings from dozens of different businesses within the past year saying the ongoing confusion over the legality of U.S.-EU data transfer may have a negative impact on finances, operations, and service offerings overseas.
In addition to business interests, non-governmental entities and academic institutions that rely on access to data for research and policymaking are also feeling the pain. For two recent examples, the Federation of European Academies of Medicine and the European Science Advisory Council
reported in April that uncertainties around sharing health data outside the EU put essential research, including COVID-19 vaccine deployment at risk, with thousands of collaborations with the U.S. already affected.
April was also a big month for these issues to gain widespread attention. Portugal's National Data Protection Commission ordered its census bureau, Statistics Portugal, to suspend sending census data to the U.S. because the bureau was using American company Cloudflare, as reported in
this EDPB press release. Additionally, U.S. email marketing company Mailchimp was implicated in April when the Bavarian data protection authority ordered a European magazine to stop using the service to distribute its newsletters, as reported in this Lexology post.
This month, Microsoft announced that it would begin storing and processing EU cloud customer data in the EU, “citing its commitment to meeting EU data protection laws, including GDPR,” as reported in Law360. The ability to store and process data locally is something large companies can execute because they can bear the expense and inconvenience. However, for smaller companies, the likelihood that they will be forced to give up the business completely when faced with either the expense of European premises-based processes or the risk of non-compliance with the terms of General Data Protection Regulation (GDPR).
On the good news front, Standard Contractual Clauses (SCC) may offer some risk mitigation. These clauses, which have recently been revised, have been designed to address different scenarios where sensitive data is transferred. In addition, SCCs address the “complexity of modern data-processing chains,” as
The National Law Review reported.
SCCs contain contractual obligations for both the sender and receiver of data. It’s important to note that users of such clauses must validate, on a case-by-case basis, that the clauses provide an adequate level of protection and security for the data being transferred. The International Association of Privacy Professionals
stated that two sets of SCCs exist: “one that deals with international transfers of EU personal data to processors, and another that deals with transfers to controllers.” All currently existing SCCs were issued under the 1995 Data Protection Directive, the predecessor of the EU GDPR (for more details, read
this IAPP post). Most of these words are terms of art, so if you’re already vested in GDPR, you’ll be familiar with the terms controllers and processors. If not, it is time to study up.
My best advice moving forward is that if data transfers between the U.S. and Europe are a concern, you need to remain vigilant on changes in policy and regulation. Change is a constant in this space, so stay tuned.
