EU Regulators Take Tough Data-Transfer Approach After Ruling (2)

July 24, 2020, 3:53 PM

European Union regulators are adopting a much tougher approach to trans-Atlantic data transfers to meet the demands of a landmark ruling last week that warned about potential American surveillance.

Companies won’t have a grace period to comply with the decision by the EU’s top court that undercuts the current system, according to a six-page document prepared by regulators. In addition, firms must make assessments on how U.S. laws might curb privacy protections for European residents.

EU data-protection watchdogs grappled with ramifications of the Court of Justice ruling striking down the so-called Privacy Shield during a nearly 9-hour meeting that ended late Thursday. While the legality of a separate, much more widely-used contract-based system was upheld, doubts about American data protection make this a shaky alternative too.

Businesses want a “degree of certainty and comfort on what they should be doing to transfer data,” but the latest guidance “throws up more questions than answers,” said Rafi Azim-Khan, a privacy lawyer at Pillsbury Winthrop Shaw Pittman.

The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook Inc. in the courts in Ireland -- where the social media company has its European base -- arguing that EU citizens’ data is at risk the moment it gets transferred to the U.S.

EU Court Blocks Data Pact Amid Fears Over U.S. Surveillance

While the court last week said Standard Contractual Clauses to transfer data remain valid, the bar has been raised to a level that will make EU-U.S. transfers under any tool complicated. The protection of EU citizens’ data in the U.S. must be “essentially equivalent” to that in the 27-nation bloc, the court said.

The ruling “has catapulted us back to the past,” said Johannes Caspar, head of the data protection watchdog in Hamburg, Germany, who attended the meeting.

He said the ruling could even compromise data transfers to other non-EU states.

“This could overwhelm” regulators, but “we can’t just sit down and not do anything,” Caspar said. “It’s a really difficult situation.”

The transfer of personal data using the contractual clauses “will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” according to the guidance from the European Data Protection Board, which is made up of the EU’s privacy watchdogs.

The document, published Friday, shows that U.S. companies, and others around the globe, will have to do “complex legal assessments that will test even seasoned privacy professionals and legal experts,” said Caitlin Fennessy, former Privacy Shield director at the U.S. Commerce Department under President Donald Trump.

In the absence of an EU-U.S. data-transfer decision, the court put the onus on companies to adopt additional protections.

The EU regulators are “looking further into what these supplementary measures could consist of and will provide more guidance,” the document, which is presented as Frequently Answered Questions, said.

“Technical measures such as encryption and data minimization could be one type of additional safeguards to be thinking about,” David Dumont, a lawyer with Hunton Andrews Kurth LLP in Brussels, said by phone.

The court had already struck down a trans-Atlantic data-transfer system, called Safe Harbor, in 2015 over concerns U.S. spies could get unfettered access to EU data. Many companies migrated to contractual clauses.

Since then, the bloc has put in place the General Data Protection Regulation, one of the world’s strictest privacy laws. This gives watchdogs unprecedented powers and raises potential fines for companies to as much as 4% of global annual sales.

The Irish Data Protection Commission, the lead EU regulator for Facebook and many other Silicon Valley giants, said last week after the ruling that the court’s concerns mean “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”

EU regulators said they are “looking further into what these supplementary measures could consist of and will provide more guidance.”

(Updates with additional responses in fourth paragraph)

--With assistance from Daniel Stoller.

To contact the reporter on this story:
Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net

To contact the editors responsible for this story:
Anthony Aarons at aaarons@bloomberg.net

Christopher Elser

© 2020 Bloomberg L.P. All rights reserved. Used with permission.

To read more articles log in. To learn more about a subscription click here.