European privacy regulators are warning companies to assess government surveillance in countries where their citizens’ data is headed—a potentially daunting task that could be a boon for lawyers and consultants.
The European Data Protection Board is calling on companies to analyze surveillance laws whenever data on European citizens is sent overseas or accessed remotely from countries deemed to have inadequate privacy protections.
Such analysis is aimed at revealing how likely foreign governments are to access data on European Union citizens, depending on a company’s own experience and those of others in their industry, according to the board’s recommendations.
The recommendations, finalized in late June, are primarily meant to give companies compliance alternatives in wake of a court striking down the EU-U.S. Privacy Shield, one of the main mechanisms governing transatlantic data transfers. They also apply to countries beyond the U.S. that don’t meet Europe’s privacy standards.
The guidance could also intensify pressure on the U.S. and EU governments to come up with a policy solution so companies don’t have to conduct their own complex, costly legal assessments of foreign surveillance—and rely on them for data privacy assurance.
“There’s an urgent need for a diplomatic solution here,” said Caitlin Fennessy, former U.S. director for the Privacy Shield. Fennessy, who described the work of reviewing surveillance laws as “daunting,” is now the research director at the International Association of Privacy Professionals.
“This remains a huge challenge for companies to tackle on their own,” she said. “It is a whole lot of new work on privacy professionals’ plates.”
In striking down the Privacy Shield, the EU Court of Justice cited concerns that European citizens’ data would be subject to U.S. government surveillance. The concerns stemmed from former contractor Edward Snowden’s revelations on spying by the U.S. National Security Agency.
The EDPB’s recommendations extend to other countries with surveillance laws or practices that could allow public authorities to access personal data, with or without the knowledge of the company receiving data from Europe.
The board doesn’t enforce laws like the EU’s General Data Protection Regulation, though it seeks to make sure data protection rules are applied consistently throughout the bloc.
Although the EDPB’s formula for transfer assessments is a recommendation, not a requirement, it’s likely to have the effect of mandatory rules because of EU privacy authorities’ enforcement, Mark Schreiber, a cybersecurity and privacy-focused counsel at McDermott Will & Emery, said.
International data flows are subject to scrutiny from European authorities that enforce privacy protections. The Irish data protection authority has 27 privacy probes open targeting
“This is what supervising authorities expect,” Schreiber said of the board’s recommendations.
For businesses, the EDPB-prescribed legal reviews offer a way to continue transferring data internationally even when it’s not possible to apply technical safeguards to data, such as encryption.
Companies using U.S.-based cloud service providers or accessing data on European workers from abroad, for instance, risk running afoul of the bloc’s rules because the EDPB didn’t suggest safeguards that could be applied in such scenarios. But when safeguards can’t be added, companies must show they have no reason to believe their data will be subject to government surveillance.
Schreiber said he’s already working on so-called transfer impact assessments. The EDPB guidance means assessments, going forward, will have to be more detailed and better chronicled, he said.
“It will take more legal work and more documentation,” Schreiber said.
The surveillance assessments are also meant to look at whether data’s destination country has a privacy-protecting law in place or a regulatory authority dedicated to data protection. Companies should also determine if there are local laws protecting certain kinds of data, like information on children, that could impact the likelihood of government access, according to the board’s guidance.
Such reviews could prove challenging for multinational corporations with data flowing to different countries.
Completing the assessments will likely require hiring a local expert in countries where data on Europeans is accessible, said Elizabeth Johnson, an attorney who leads the privacy and data security practice at Wyrick Robbins Yates & Ponton LLP.
“What a boon this is for privacy lawyers, how much work this will generate,” Johnson said.
Some aspects of surveillance reviews may prove difficult, if not impossible, to perform. For instance, the board recommended that companies look at whether a company or its peers have ever faced government access requests, to show the likelihood of data flows being intercepted. But such information isn’t always publicly available.
Some companies have already taken steps to shield data from surveillance in response to EU scrutiny of data flows.
“The reality of enforcement based on businesses standing up to governments is hugely challenging,” said Cillian Kieran, founder and chief executive of privacy software startup Ethyca.
Companies, to ensure they don’t violate the GDPR, could take steps such as using EU data centers or separating European users’ data from other users’ data. But those aren’t easy answers, since such measures would be challenging from an engineering perspective, Kieran said.
“It’s a really difficult technical problem beyond the policy issues,” he said.