Annulment of Privacy Shield can reverse global borderless data transfers.

Data knows typically no boundaries. Increasing restrictions on data transfers worldwide are prompting companies to rethink how they do business. The data transfer tools that shuttle digital information globally are now legally stuck in a halfway house with corporate lawyers to address the concept of limiting the flow of data out of the area or community.

It remains unclear on precisely how EU watchdogs will interpret the Privacy Shield ruling, while global companies cannot wait and are proactively taking the decision to keep their data in the bloc.

Annulment of Privacy Shield

After the EU’s top court in August 2020 struck down as inadequate, the second transatlantic data protection agreement, called Privacy Shield, businesses on both sides of the Atlantic impatiently get for a swift replacement, to rally around the concept of frictionless data transfers that has governed the internet since its inception.

Like other jurisdictions, European regulators wish that the privacy data is stored inside the bloc. The EU landmark General Data Protection Regulation (GDPR) has provided a template for privacy rules in other parts of the world, and other countries with GDPR-like laws and local data storage requirements are now in the pipeline.

Data localisation requirements are increasingly detrimental to companies with a global footprint and a global mindset. They are now preparing themselves for a future of tighter digital data regulation and are considering how to compartmentalise privacy data in different regions.

In the past storing the privacy data in databases allowed a lot of flexibility for data export however the mechanisms are changing to storing the data locally because of the Schrems II ruling per se, require increasing restrictions on data flows to fool proof their GDPR compliance program.

The response to US privacy probing

With the annulment of Privacy Shield due to fears of US snooping, it upheld the legality of other instruments used to export personal data all over the world called Standard Contractual Clauses (SCCs). The court highlighted that it was up to companies and data protection regulators to check if transfers are done using those instruments adhered to Europe’s high data protection standards.

The EU data protection authorities responded by reiterating that an assessment of data exports using SCCs was legal will be done on a “case-by-case basis”. This approach raises the prospect of companies having to do a precise analysis of foreign reconnaissance regimes if they want to send data abroad.

The complex web of agreements between suppliers and customers

Global and local data storage requirements are also in fashion. China, Russia, India and Brazil are high-profile adherents to the policies. Still, restrictions on data are popping up all over, leaning toward data localisation requirements. Other countries like Vietnam, Malaysia, Australia and some Canadian provinces have similar limits as well.

 

For large global companies and global empires, a shift toward data localisation is terrible news. Many of these companies ship large quantities of data back to the United States for processing, analysis, research and other purposes. Having to regionalise those functions would mean reorganising corporate structures and becoming subject to greater regulatory scrutiny in other countries.

Assuming that everything is done correctly at the technical and organisational level, in terms of adequacy, localising data is the most straightforward approach however in most cases GDPR compliance will need actual technological changes or even rearchitecting the systems.

Companies could store their data in Europe, or reach out for a wildcard: encrypting everything that crosses the Atlantic.

Binding Corporate Rules

The transfer of personal data to the US can also be based on one of the following instruments: – Standard or ad hoc Data Protection Clauses – Binding Corporate Rules – Codes of Conduct and Certification Mechanisms. Signing contracts that include EU-approved clauses and derogations can be used in the absence of Standard Data Protection Clauses or other alternative appropriate safeguards. These solutions, are also subject to some legal uncertainty and perhaps face legal challenges that could invalidate the transfer mechanisms.

Implementing binding corporate rules and standard contractual clauses are probably the simplest way to go, especially for most small and medium-sized enterprises. However, for large organisations, they can be cumbersome and costly to implement, given the short timeframe.

Disclaimer: The authors of this newsletter do not provide legal advise and are not licensed to do so.