On Friday 25 March, President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism. The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Academy on the same day.
The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport.
Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK, that had highlighted the increasingly complex challenges organisations face in complying with GDPR when transferring personal data out of Europe.
Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.
It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organisations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.
On the recent enforcement actions against data transfers linked to the analytics products, the panel voiced concern that in following the CJEU’s position in Schrems II, regulators have become centered on national governments’ access to data, which is outside the control of a commercial organisation, and are no longer looking at actual risk, i.e. comparatively limited and de-identified datasets and even less interest from foreign intelligence services. It was noted that the analytics product in question had been around for 15 years but, in that time, not one FISA request had been made relating to it. This focus is unhelpful, impractical and detrimental to a globally interlinked digital economy.
The panel was aligned that it would be more productive if the conversation on international data flows focused on the steps commercial organisations should be taking to protect personal data and the rights of individuals. To re-focus the conversation around practical risks arising from international data transfers, the panel discussed potential alternative approaches:
- Increase the number of adequacy decisions to remove the need for commercial assessment of data transfers. The panel noted that the EU’s approach of assessing a third country’s data protection regimes in a direct read-across of the GDPR has been a bar to granting adequacy. A more expansive approach could be used, based on the understanding that there are different approaches to data protection, but that a difference of approach may not fundamentally weaken or prevent a third country from being adequate in protecting personal data and the rights of the individual. As there have been many new pieces of legislation post-GDPR, we should be learning from these to raise the bar practically. It is hoped that with the flexibility gained since leaving the EU, the UK may align more closely with this approach, respecting differences in approach as it assesses and grants adequacy.
- There was also hope of increasing the use of industry-sector standards and certifications, in areas such as healthcare and finance. The COVID-19 pandemic has shown that with the right safeguards, the international sharing of data is critical to ensuring public health globally and can provide great societal benefits. However, almost four years have passed since the GDPR came into effect and there are practically no certification schemes to protect international transfers. The use of Binding Corporate Rules for groups of companies to share data has not seen the uptick that was expected. So the issue must be: how can these mechanisms be made efficient, simple and cost-effective? One thought was to move away from current concepts within the GDPR that are assessed on geography, despite the fact that data does not flow geographically, and towards concepts of regulated and unregulated data. The effect of this would be to ensure that a certified organisation (a bank, for example) would have to treat its regulated data with the same safeguard and protections irrespective of location. Such a system would greatly reduce the need for an assessment of what would be needed at an organisational level and may be a better reflection of who organisations interact with in the global digital economy.
With regard to the announcement of the EU-US data transfer agreement, it would be momentous if it does as promised and “enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties”. However, the devil will be in the details and we are likely months away from any legal agreement. Early hints on direction were provided following the announcement in press releases from both sides. The White House stated that it was committed to:
- Strengthening the privacy and civil liberties safeguards governing US signals intelligence activities;
- Establishing a new redress mechanism with independent and binding authority; and
- Enhancing the existing oversight of signals intelligence activities.
The focus on signals intelligence activities in particular suggests that the EU and US are playing catch-up to the challenges posed by Schrems II, rather than seeking creative solutions to pre-empt any future action from privacy activists. Wherever the agreement lands, one certainty is that EU privacy campaigners will be ready to review and challenge as they have done with Safe Harbor and the Privacy Shield.
However, if the panel’s suggestions on other more global alternatives to a trans-Atlantic agreement were to be followed, this could make many sectors less reliant on the EU-US- style agreement and really address international transfers on a global level. We are at a point where we can pivot. If we do pivot, providing practical obligations and safeguards as well as simple mechanisms for individual redress and remedy perhaps, and, unlike the Rocky series, we do not get to see Schrems III, IV and V…what a knockout that would be!