deepagopi2011 - Fotolia

EU to introduce data-sharing measures with US in weeks

The European Commission is to issue updated standard contractual clauses (SCCs) that will allow organisations in the EU to exchange data with the US, but they may arrive too late to incorporate into UK law

The European Commission (EC) will issue updated legal contacts that will outline how companies and businesses can share data with the US – without breaching European Union (EU) privacy laws – within weeks.

The move is designed to give legal clarity to European organisations following advice from regulators that they should conduct detailed privacy assessments before they share personal data with the US.

The contracts, known as standard contractual clauses (SCCs), provide a legal mechanism for European companies to exchange data with the US and other third-party countries.

Businesses have been facing legal uncertainty since the European Court of Justice (ECJ) invalidated the EU-US data-sharing agreement, Privacy Shield, in July, and spelled out caveats for companies using SCCs.

European data protection regulators have since warned companies that they remain responsible for ensuring they comply with EU data protection and human rights laws when they exchange personal data about EU citizens with the US.

Toolbox of options

The EU is expected to issue updated SCCs that will provide businesses with a “toolbox” of options to transfer data, as part of an attempt to clarify their legal position.

The SCCs will be updated to comply with the Max Schrems judgment and Europe’s General Data Protection Regulation (GDPR) data protection legislation.

They are expected to be followed by revised guidelines from the European Data Protection Board (EDPB) on data transfers between the EU and the US.

Eleonor Duhs, director of law firm Fieldfisher’s privacy and information law group, said the EU’s revised standard contractual clauses were expected to cover scenarios not covered by the existing SCCs.

For example, among other omissions, the current SCCs do not offer provisions to legally exchange data for organisations that act as data controller outside of the EU and want share data with the EU for processing.

“My understanding is that whatever configuration of data controller or sub-processor you have, you are going to have certain contractual clauses available in any of those scenarios,” she said.

Other measures are likely to include a requirement for EU organisations sharing data with the US to exert some control over how the data would be shared with US law enforcement and intelligence services.

That would mean a robust process to ensure that companies in the US that receive EU data don’t hand data over to US agencies just because it’s asked for, but only do so if they are presented with a court warrant or other evidence of a judicial process.

Encryption and data minimisation

Bruno Gencarelli, head of the international data flows and protection unit of the European Commission, told an online seminar that the revised SCCs would require companies to take into account all the relevant circumstances of data transfers.

That would include the nature of the transfer, the business model of the organisations and whether the country receiving the data has an adequacy agreement with the EU.

Companies will be able to use the assessment to decide whether they want to use a data transfer mechanism, and whether they need to introduce additional safeguards, such as encryption, to mitigate any data protection risks, said Gencarelli.

The EC is expected to offer companies “non-exhaustive” and “non-prescriptive” guidance on the factors they should take into account.

This includes the security of computer systems used, whether data is encrypted and how organisations will respond to requests from the US or other government law enforcement agencies for access to personal data on EU citizens.

Gencarelli said relevant questions would include: What do you do as a company when you receive an access request? How do you review it? When do you challenge it – if, of course, you have grounds to challenge it?

Companies may also need to assess whether they can use data minimisation principles to ensure that any data on EU citizens they hand over in response to a legitimate request by a government is compliant with EU privacy principles.

The guidelines, which will be open for public consultation, will draw on the experience of companies that have developed best practices for SCCs and of civil society organisations.

Gencarelli said he recognised that smaller companies might not have the time and expertise to conduct in-depth investigations, and that the EU was working on SSCs as an off-the-shelf solution for data transfers.

Thomas Boué, director-general of policy for the Business Software Alliance (BSA), a trade body for technology companies, told the seminar that the commission’s “toolbox methodology” would be an important step forward.

“It has to be done on a case-by-case basis. We won’t be able to have one solution, one thing that is going to work. If that is what we are looking for, I think you will be disappointed,” he said.

However, Alex Greenstein, director of Privacy Shield for the US Department of Commerce, said an intensive case-by-case analysis of data transfers would be a significant undertaking for companies.

“Given the amount of resources it takes to do the mini adequacy assessment, it’s much more proportionate simply to deem your third country to have failed the mini adequacy assessment and to move on to supplementary measures”
Eleonor Duhs, Fieldfisher

Some 70% of the companies that use Privacy Shield are small and medium-sized companies, he said.

The US began talks with the EU in August to “evaluate the potential” for an enhanced version of Privacy Shield that would meet EU law.

Greenstein said the US was holding discussions with different sectors of the economy, ranging from healthcare to research, that would be affected by an enhanced Privacy Shield.

One of the items under discussion is the role of the US Privacy Civil Liberties and Oversight Board (PCLOB), an independent body that monitors US compliance with privacy and civil liberties, in surveillance programmes.

Duhs said the EDPB might require companies to go through a three-state process: first, assessing whether they can use standard contractual clauses; second, assessing whether that data processing is compatible with EU law; and third, using supplementary measures to protect data where necessary.

In practice, companies may be able to avoid the cost and time of an adequacy assessment of their data exchanges with the US by simply assuming the US is non-compliant.

If the EDPB allowed for such a move, this would allow organisations to go straight ahead with other data protection measures that will mitigate the risks of non-compliance with EU law.

“Given the amount of resources it takes to do the mini adequacy assessment, it’s much more proportionate simply to deem your third country to have failed the mini adequacy assessment and to move on to supplementary measures,” she said.

Privacy Shield may turn on US election

How quickly a replacement to Privacy Shield is introduced is likely to depend on the results of the US election.

It is widely believed that a Biden presidency would be more likely to want to prioritise data sharing between the US and the EU than a second-term Trump administration.

And the changes to standard contractual clauses may not arrive in time to incorporate into UK law before the end of the Brexit transition period, particularly if the EU allows time for public consultation.

“The UK GDPR is potentially going to be heading off in a separate direction from the EU,” said Duhs.

Read more on Privacy and data protection

Data Center
Data Management