Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

EU Board Advises Companies to Assess Foreign Data Surveillance

July 12, 2021, 9:01 AM

European privacy regulators are warning companies to assess government surveillance in countries where their citizens’ data is headed—a potentially daunting task that could be a boon for lawyers and consultants.

The European Data Protection Board is calling on companies to analyze surveillance laws whenever data on European citizens is sent overseas or accessed remotely from countries deemed to have inadequate privacy protections.

Such analysis is aimed at revealing how likely foreign governments are to access data on European Union citizens, depending on a company’s own experience and those of others in their industry, according to the board’s recommendations.

The recommendations, finalized in late June, are primarily meant to give companies compliance alternatives in wake of a court striking down the EU-U.S. Privacy Shield, one of the main mechanisms governing transatlantic data transfers. They also apply to countries beyond the U.S. that don’t meet Europe’s privacy standards.

The guidance could also intensify pressure on the U.S. and EU governments to come up with a policy solution so companies don’t have to conduct their own complex, costly legal assessments of foreign surveillance—and rely on them for data privacy assurance.

“There’s an urgent need for a diplomatic solution here,” said Caitlin Fennessy, former U.S. director for the Privacy Shield. Fennessy, who described the work of reviewing surveillance laws as “daunting,” is now the research director at the International Association of Privacy Professionals.

“This remains a huge challenge for companies to tackle on their own,” she said. “It is a whole lot of new work on privacy professionals’ plates.”

Data Surveillance

In striking down the Privacy Shield, the EU Court of Justice cited concerns that European citizens’ data would be subject to U.S. government surveillance. The concerns stemmed from former contractor Edward Snowden’s revelations on spying by the U.S. National Security Agency.

The EDPB’s recommendations extend to other countries with surveillance laws or practices that could allow public authorities to access personal data, with or without the knowledge of the company receiving data from Europe.

The board doesn’t enforce laws like the EU’s General Data Protection Regulation, though it seeks to make sure data protection rules are applied consistently throughout the bloc.

Although the EDPB’s formula for transfer assessments is a recommendation, not a requirement, it’s likely to have the effect of mandatory rules because of EU privacy authorities’ enforcement, Mark Schreiber, a cybersecurity and privacy-focused counsel at McDermott Will & Emery, said.

International data flows are subject to scrutiny from European authorities that enforce privacy protections. The Irish data protection authority has 27 privacy probes open targeting Facebook Inc. and other tech companies that have set up their EU hubs in Ireland. Authorities in France, the U.K., and elsewhere have also fined companies for failing to protect Europeans’ personal data.

“This is what supervising authorities expect,” Schreiber said of the board’s recommendations.

Technical Safeguards

For businesses, the EDPB-prescribed legal reviews offer a way to continue transferring data internationally even when it’s not possible to apply technical safeguards to data, such as encryption.

Companies using U.S.-based cloud service providers or accessing data on European workers from abroad, for instance, risk running afoul of the bloc’s rules because the EDPB didn’t suggest safeguards that could be applied in such scenarios. But when safeguards can’t be added, companies must show they have no reason to believe their data will be subject to government surveillance.

Schreiber said he’s already working on so-called transfer impact assessments. The EDPB guidance means assessments, going forward, will have to be more detailed and better chronicled, he said.

“It will take more legal work and more documentation,” Schreiber said.

Local Laws

The surveillance assessments are also meant to look at whether data’s destination country has a privacy-protecting law in place or a regulatory authority dedicated to data protection. Companies should also determine if there are local laws protecting certain kinds of data, like information on children, that could impact the likelihood of government access, according to the board’s guidance.

Such reviews could prove challenging for multinational corporations with data flowing to different countries.

Completing the assessments will likely require hiring a local expert in countries where data on Europeans is accessible, said Elizabeth Johnson, an attorney who leads the privacy and data security practice at Wyrick Robbins Yates & Ponton LLP.

“What a boon this is for privacy lawyers, how much work this will generate,” Johnson said.

Some aspects of surveillance reviews may prove difficult, if not impossible, to perform. For instance, the board recommended that companies look at whether a company or its peers have ever faced government access requests, to show the likelihood of data flows being intercepted. But such information isn’t always publicly available.

Business Response

Some companies have already taken steps to shield data from surveillance in response to EU scrutiny of data flows. Microsoft Corp., for example, has pledged to challenge government requests to access its customers’ information. It remains to be seen whether other companies will make similar commitments.

“The reality of enforcement based on businesses standing up to governments is hugely challenging,” said Cillian Kieran, founder and chief executive of privacy software startup Ethyca.

Companies, to ensure they don’t violate the GDPR, could take steps such as using EU data centers or separating European users’ data from other users’ data. But those aren’t easy answers, since such measures would be challenging from an engineering perspective, Kieran said.

“It’s a really difficult technical problem beyond the policy issues,” he said.

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editors responsible for this story: Melissa B. Robinson at, Kibkabe Araya at