Data transfers between the EU and the US: Still unclear on what you're supposed to do? Here's an explainer

This (still) applies to British businesses too... for now


Lightning does not strike twice – except, it would seem, in the land of data privacy. Having struck down Safe Harbor – the agreement governing EU-US data transfers – in 2015, the Court of Justice of the European Union (CJEU) went on to condemn its replacement, the beleaguered EU-US Privacy Shield, to a similar fate just over a year ago.

This presented the more than 5,400 businesses reliant on the Privacy Shield to move data across borders with a bit of a problem. Happily, though, comfort was found in the shape of Standard Contractual Clauses, which seemed to provide an easy, quick-fix to the data transfer challenge. Except they didn't.

Now, it would be wrong to say that lightning struck a third time – the CJEU did not invalidate SCCs – but the Court did rule, in the same judgment that put an end to the Privacy Shield, that businesses must assess the underlying transfer of data to which the contracts apply. A cookie cutter approach simply wouldn't work.

The upshot is that business lost what it thought was a silver bullet, and for many readers, question marks still linger over the issue of data transfers between the EU and the US. Not only are these questions unlikely to disappear overnight, but in the months ahead, they could in fact intensify. After all, the broad powers of US authorities are proving to be one rather large spanner in the works of the ongoing EU-US data adequacy negotiations.

Businesses, then, could be forgiven for scratching their heads about what the legal requirements for transferring data actually include.

However, the European Commission recently (in June 2021) published its updated SCCs, which included provisions to combat the flaws identified by the Court, whilst the European Data Protection Board published its advice on the "supplementary measures" a business must take just a few days later. Taken together, the guidance does provide business with a route through the confusion.

Put simply, the guidance sets out six stages that should be completed to assess the risks of the transfer, which include:

  1. identifying both the initial transfer, and also any onward transfers,
  2. identifying the transfer tool relied upon,
  3. considering whether the transfer tool is effective when considered alongside the national law of the importing nation,
  4. considering whether any “supplementary measures” are needed to safeguard the transfer. These include certain technical measures (eg, encryption and pseudonymisation), contractual measures (including imposing obligations on receiving data) and organisational measures (such as access controls),
  5. considering any country-specific procedural steps (e.g. consulting with the relevant data supervisory authorities in the exporting country), and
  6. keeping ongoing obligations under review i.e. re-evaluating transfers at appropriate intervals.

It is important to note that the data protection landscape will continue to change. If the former Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, is to be believed, the UK is considering a possible deviation from the GDPR in the months ahead. We're still awaiting the proposals, so it's too early to say precisely how the new regime will look, but if early rumblings are to be believed, businesses with UK connections will need to watch this space closely.

Of more immediate concern is the publication by the UK Information Commissioner's Offices of its draft international data transfer agreement [PDF] and associated guidance in August this year, adding another facet to the already complex landscape.

And thereby hangs the tale. At its core, the General Data Protection Regulation (GDPR – and in post-Brexit Britain, UK GDPR) was about promoting accountability and so, no matter where lightning strikes in the future, nothing will protect businesses more than being on their front foot. As this is such a fast moving and complex area, businesses should seek specialist advice to avoid stepping on any regulatory landmines. ®

Rafi Azim-Khan is head of Data Privacy Europe at Pillsbury Winthrop Shaw Pittman, and Steve Farmer is a partner at the firm.


Other stories you might like

  • Apple wins Epic court ruling: Devs will pay up for now as legal case churns on

    Previous injunction that ordered company to allow non-Apple payments systems is suspended

    Apple will not be required to implement third-party in-app payments systems for its App Store by 9 December, after a federal appeals court temporarily suspended the initial ruling on Wednesday.

    As part of its ongoing legal spat with Epic, a judge from the Northern District Court of California said Apple wasn’t a monopoly, but agreed it’s ability to swipe up to a 30 per cent fee in sales processed in iOS apps was uncompetitive. Judge Yvonne Gonzalez Rogers ordered an injunction, giving the iGiant 90 days to let developers add links or buttons in their apps to direct users to third-party purchasing systems.

    Those 90 days were set to end on 9 December. If developers were allowed to process financial transactions using external systems they wouldn’t have to hand over their profits to Apple, they argued. When Apple tried to file for a motion to stay, which would pause the injunction until it filed an appeal, Rogers denied its request.

    Continue reading
  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading

Biting the hand that feeds IT © 1998–2021