Lack of progress on successor to Privacy Shield transatlantic data transfer agreement and UK exit from GDPR likely to mean complications, experts say
A new US administration may not necessarily bring with it a new data transfer pact between the EU and the United States, the top EU data protection authority has said.
And experts have warned that 2021 is also likely to bring in fresh challenges to British companies exchanging data with EU organisations, due to a change in the UK’s designation under EU privacy law.
The EU Court of Justice (CJEU), the bloc’s top court, in July struck down a transatlantic data-sharing agreement called Privacy Shield that had been in place since 2016, when it replaced the earlier Safe Harbour arrangement.
The deal allowed companies in the EU – which at the time included the UK – to exchange data with firms based in the US, including, in many cases, their own parent companies in Silicon Valley.
But the CJEU determined the risk was too great of US government surveillance accessing the personal data of EU citizens.
Since then, companies have been using a mechanism called standard contractual clauses to transfer data around the world.
The EU and the US are working on a successor to Privacy Shield, but European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski warned companies not to expect a resolution in the short term.
“I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield-like solution will last for a while,” Wiewiorowski told Reuters.
He said a new arrangement could require changes to US national security law and said the new administration may not “take this topic as the most important”.
The European Union is also proposing revisions to standard contractual clauses and Wiewiorowski called the proposals “promising”.
UK data transfers
EU concerns about protecting citizens’ data are also likely to affect data transfers between the EU and the UK in the new year.
The UK continues under the authority of the EU’s GDPR privacy legislation until 31 January, after which it will be designated as a “third country” for EU data protection purposes.
The UK and the EU are negotiating a GDPR equivalency agreement, but in the absence of such a deal UK firms face challenges similar to those in the US in ensuring they can transfer personal data across international borders.
“As crazy as it may seem given that the UK has been part of EU Data Privacy since 1984, when the UK ends its transitionary stage with the EU at the end of the year, it will not automatically retain its GDPR equivalency,” said Darren Wray, chief technology officer at data privacy consultancy Guardum.
He said companies will need to put special contractual agreements in place to carry out such transfers and warned that the validity of such arrangements is “likely to be challenged”.
Wray noted that in the legal challenges that brought down Privacy Shield and Safe Harbour, the UK was named as a partner in some of the US global surveillance programmes causing privacy concerns.
“This, combined with regulation such as the Regulatory Investigatory Powers Act 2000 (RIPA) which enshrines state surveillance in UK law, means that EU firms will be forced to see the UK as not offering adequate EU data protection,” Wray said.
He said UK organisations should act now to review their international data transfer arrangements and review client and vendor agreements concerning data.
British companies should consider investing in redaction software to automatically remove personal data from documents being sent across borders for processing, Wray said.