What you need to know about transatlantic data transfers
Where does data live and who can access it? This seemingly simple question is, in fact, incredibly complex in the cloud era, as servers often reside abroad and regional data rights clash with international government surveillance efforts.
This friction is evident on both side of the Atlantic after last year’s court decision that Facebook’s transfer of personal data from the EU to its headquarters in the US directly breached the General Data Protection Regulation (GDPR), leaving thousands of companies – from device manufacturers to software creators – wondering what data they can use in their products.
After one year of post-court limbo, the European Commission published this month the finalized version of the new standard contractual clauses (SCCs) for transferring personal data from the EU to third countries. Let’s dive into what this means for tech companies and what they can do in this new era of data rights.
Schrems II: Where it all started
First, let’s go back to the start of the story. In July, the Court of Justice of the European Union (EU) issued a verdict that ruled that the EU-US Data Protection Shield was invalidated due to concerns around surveillance by US state and law enforcement agencies. This proved problematic as more than 5,000 companies relied on the framework to transfer their data between the two continents. This verdict later came to be colloquially known as “Schrems II,” after Max Schrems, an activist and lawyer who initiated this legal saga following his complaints against Facebook in 2013.
The decision also upheld the validity of standard contractual clauses (SCCs). These clauses ensure the lawful and secure transfer of personal data from within the European Economic Area to third countries, though the ruling required companies and regulators to conduct case-by-case analyses to determine whether foreign protections concerning government access to data transferred met EU standards.
The new data rules
Despite the validation of SCCs, lingering confusion and uncertainty has resulted in the adoption of new tools for safe exchanges of personal data. This month, the European Commission adopted two new sets of SCCs, one for use between controllers and processors and one for the transfer of personal data to third countries. These tools are intended to offer more legal predictability to European businesses and help small and mid-size enterprises to ensure compliance for safe data transfers while allowing data to move freely across borders without legal barriers.
Moreover, the revised SCCs provide “more flexibility for complex processing chains” by using a modular approach, said the European Commission, and offer the possibility for more than two parties to join and use the clauses.
The revised SCCs seek to provide a balance between emphasizing the legal framework of the GDPR while addressing lingering uncertainty in the aftermath of Schrems II. Companies have fifteen months to transition from the use of the previous clause to the revised system.
Without many viable alternatives for transatlantic data transfers, the new rules are a welcome development. However, before diving straight into resubmitting the paperwork for legacy SCCs, organizations are best advised to focus on a holistic evaluation of existing data flows and the roles of those involved in personal data transfers.
Best practices in this era
With new and old rulings to consider, as well as different jurisdictions and approaches to data rights, companies must think long and hard about their data practices. One way to appease all parties is by incorporating strong encryption into personal consumer data. For example, by encrypting the data, organizations can ensure that third parties cannot gain access to sensitive information that is in transit between regions. In tandem with an effective encryption key management system, encryption can help ensure that private data stays private.
Another way to comply with the rulings is to stay clear of the cloud whenever possible. When it comes to the Internet of Things, for example, device vendors can tailor the connection type to ensure direct communication between the end-user and device. This type of peer-to-peer connection bypasses the cloud to enable private communication between user and device and bypasses the risk of storing personal consumer data.
Of course, for those that do need to use the cloud for transatlantic data transfers, the best practice is to stick to the rules. The new SCCs provide additional clarification on what is and is not acceptable and go a long way toward addressing the requirement to legitimize transfers of personal data out of the EU. But, at the same time, the revised clauses continue to put the onus on individual companies to meet GDPR standards.
Companies looking to leverage the SCCs should identify the cross-border transfers under their responsibility and perform a nuanced analysis of the recipient country’s level of data protection compliance with the GDPR. Moreover, if any of the countries are part of the Five Eyes Alliance (Australia, Canada, New Zealand, the United Kingdom, and the United States), an in-depth analysis will likely be required.
A careful, considered data strategy is the best way to appease the powers that be on either side of the Atlantic.