11 EU data-sharing nightmare looms
Firms are facing a data-handling migraine following changes to the way that the EU deals with data transfers to non-member states.
UK companies are facing a data-handling headache following changes to the way that the European Union deals with data transfers to nonmember countries.
In a critical judgement that will alarm companies dealing with personal data transfers, the European Court of Justice judgement ended the “Privacy Shield” data transfer agreement that allowed some 5,300 companies to share data between the EU and US without additional controls.
Privacy Shield was supposed to hold US companies to a higher standard than normal in order to protect Europeans’ data, but was struck down because US laws do not protect Europeans from widespread US government snooping.
Privacy lawyers believe that the UK could fall into the same sin bin once it leaves the EU. “The judgement will certainly give the UK government a headache over adequacy if the UK strays too far from the GDPR,” explained Chris Pounder, director of legal training specialist Amberhawk.
With the UK stalled in talks over
“data equivalency”, which would allow it to continue sharing data from EU companies and organisations, experts believe UK firms could find itself in a similar position to the US and scrabbling to organise alternatives.
The alternatives to Privacy Shield involve paperwork called standard contractual clauses (SCCs), which are templates from the EU that companies fill out to show compliance, but opinion remains divided on whether they will be valid in light of the latest ruling and the UK’s own anti-terror laws.
“SCCs are being seen as a solution, but if you dig a little deeper they are not a panacea – the direction of the court suggests that you can’t just use a piece of paper and everything will be fine,” said Neil Brown of law firm Decoded Legal. “You really need to be looking at the rules of the countries where you’re going to be transferring your data.
“In a nutshell, it may be tricky for the data controllers or processors to be confident that the SCCs will sufficiently protect transfers or personal data to the UK given laws such as the Investigation of Investigatory Powers Act,” which also allows government snooping.
The situation could see UK companies having to approach the EU for special SCCs drawn up for UK firms. “It will be embarrassing if these SCCs have to contain additional requirements to protect European data subjects because the UK’s data protection regime is viewed to be inadequate,” said Pounder.