EU takes tough approach to data moves
European Union regulators are adopting a tougher approach to trans-Atlantic data transfers to meet the demands of a landmark ruling last week that warned about potential American surveillance.
Companies won’t have a grace period to comply with the decision by the EU’s top court that undercuts the current system, according to a six-page document prepared by regulators. In addition, firms must make assessments on how U.S. laws might curb privacy protections for European residents.
EU data-protection watchdogs grappled with ramifications of the Court of Justice ruling striking down the so-called Privacy Shield during a nearly 9-hour meeting that ended late Thursday. While the legality of a separate, much more widely-used contract-based system was upheld, doubts about American data protection make this a shaky alternative too.
“Companies are in a pretty difficult position where the only real zero risk solution is to stop data from being transferred to the U.S.,” David Dumont, a lawyer with Hunton Andrews Kurth LLP in Brussels, said by phone.
The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency. Privacy campaigner Max Schrems has been challenging Facebook Inc. in the courts in Ireland — where the social media company has its European base — arguing that EU citizens’ data is at risk the moment it gets transferred to the U.S.
While the court last week said SCCs to transfer data remain valid, the bar has been raised to a level that will make EU-U.S. transfers under any tool complicated. The protection of EU citizens’ data in the U.S. must be “essentially equivalent” to that in the 27-nation bloc, the court said.
The ruling “has catapulted us back to the past,” said Johannes Caspar, head of the data protection watchdog in Hamburg, Germany, who attended the meeting.
He said the ruling could even compromise data transfers to other non-EU states.
“This could overwhelm” regulators, but “we can’t just sit down and not do anything,” Caspar said. “It’s a really difficult situation.”
The transfer of personal data using SSCs “will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” according to Friday’s guidance from the European Data Protection Board, which is made up of the EU’s privacy watchdogs.
In the absence of an EU-U.S. data-transfer decision, the court put the onus on companies to adopt additional protections.
The EU regulators are “looking further into what these supplementary measures could consist of and will provide more guidance,” the six-page document, which is presented as Frequently Answered Questions, said.
“Technical measures such as encryption and data minimization could be one type of additional safeguards to be thinking about,” Dumont said.
The court already had struck down a trans-Atlantic data-transfer system, called Safe Harbor, in 2015 over concerns U.S. spies could get unfettered access to EU data. Many companies migrated to SCCs.
Since then, the bloc has put in place the General Data Protection Regulation, one of the world’s strictest privacy laws. This gives watchdogs unprecedented powers and raises potential fines for companies to as much as 4 percent of global annual sales.
The Irish Data Protection Commission, the lead EU regulator for Facebook and many other Silicon Valley giants, said last week after the ruling that the court’s concerns mean “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”