The question is evident: how do businesses employ global AI systems and continue to comply with the GDPR cross-border data transfer principles? It is essential to understand the link between AI and personal data and its impact through the legal landscape governing cross-border transfers.

Understanding the AI and the GDPR Landscape

Artificial intelligence systems will typically need to use humongous amounts of data, of which may include personal data. This data is typically obtained from various jurisdictions and processed using cloud platforms, data centers, and development teams in various countries. The worldwide infrastructure complicates the fulfillment of the GDPR since it inhibits the transfer of personal data beyond the European Economic Area (EEA) and United Kingdom.

The GDPR is grounded in fundamental principles of lawfulness, fairness, transparency, limitation of purpose, and data minimization. It also requires accuracy, limitation of storage, integrity, confidentiality, and accountability. These principles should be adhered to by any AI system that involves personal data even when data is transported.

Cross-border data transfers happen when personal data is moved from the EEA to a third country. These are addressed by Chapter V of the GDPR, which dictates the legal frameworks organisations must obey. Since most AI systems are international data processing, virtually all of them are confronted with this regulatory challenge.

Focal Compliance Challenges in Cross-Border AI Projects

There are a few challenges that make it hard to regulate cross-border data in AI:

• Terabytes of information: AI systems read text, images, video, audio, and behavior data in volumes that older compliance procedures find difficult to keep up with. It’s no small challenge to collect, categorize, and safeguard these datasets across borders.
• Pseudonymization risks: So-called anonymized data can in fact facilitate re-identification, particularly when combined with additional datasets. It is important to understand the difference between pseudonymized and anonymized data. 
• Lack of transparency: Most AI systems, especially deep learning-based systems, are “black boxes.” This uninterpretability may hinder the ability of organizations to show compliance with the GDPR, especially purpose limitation and data minimization.
• Shifting rules: Regular updated guidance from national authorities and the European Data Protection Board (EDPB) on AI, transfers abroad, and the way the two interoperate. Just requirements mount with the arrival of legislation such as the EU AI Act.
• Third-party risk: Third-party data suppliers, cloud vendors, and outsourcing data processors are all more likely to be in the AI supply chain. Unless they are properly managed, they bring inherent third-party risk through non-compliance, data loss, or unauthorized transfers.

Legal Frameworks for GDPR-Compliant Cross-Border Transfers

The GDPR provides a range of legal frameworks for cross-border transfers of personal data beyond the EEA, depending on conditions and limitations.

• Adequacy decisions are among them. The European Commission will be in a position to determine that a non-EEA nation ensures “adequate” protection for personal data, and data can flow freely. These decisions have been granted to Japan and Switzerland, and the same has been granted to the United States under the new EU–U.S. Data Privacy Framework. Adequacy decisions are not absolute, however, and can be invalidated, as was the invalidation of Privacy Shield.
• For organizations in countries not issuing an adequacy decision, Standard Contractual Clauses (SCCs) are the most used. Contractual clauses maintain international data transferred from being reduced below EU levels. Organizations must perform Transfer Impact Assessments and introduce additional safeguards since the Schrems II judgment, in order to lawfully use SCCs.

• Binding Corporate Rules (BCRs) is a further possibility for multinationals. They are internal codes of conduct that have to be approved by a data protection authority and are legally enforceable against the corporate group. It is a scalable solution to implement for intragroup data transfers, but it may be time-consuming and costly to obtain the approval.
• The GDPR also has limited derogations for certain situations, including where the individual provides unambiguous consent or where a transfer must be conducted in order for a contract to be formed. Exceptions are few and not to be generalized or bulked.

Practical Steps to Remain Compliant

To effectively administer cross-border data transfers, follow these best practices:

• Map data flows: Determine where personal data comes from, is processed, and travels.
• Perform Data Protection Impact Assessments (DPIAs): DPIAs for riskier AI projects ensure assurance of risk identification in the areas of discrimination, bias, and data protection and transfer risk assessment.
• Improve data governance: Establish policies and roles that ensure accountability to operating, technical, and legal teams.This ensures consistency and accountability when dealing with personal data.
• Enforce security controls: There must also be organizational and technical controls. These include secure development of AI models, access controls, pseudonymization, and encryption. Security audits and penetration tests done on a regular basis can combat threats that can be used in performing cross-border transfers.
• Manage third parties: Secure good data processing terms and ensure all suppliers comply with the GDPR. Any AI supplier or cloud provider dealing with your personal data on your behalf must be subject to rigorous due diligence. This includes negotiating good DPAs and ensuring vendors apply GDPR-level controls.
• Train your staff: Make sure staff is educated about their part to play with regard to AI and international processing of data. A specific incident response plan also needs to be created to handle any AI system-related breaches.

Readiness and Regulation

Regulatory requirements are changing. The EU AI Act and industry-specific guidelines from the EDPB and others will keep transforming what looks like compliance with AI. Leading-edge businesses are already constructing governance structures in accordance with the GDPR and these new rules. Technologies such as data flow mapping automation, real-time risk management, and Transfer Impact Assessments run on a regular basis become typical. Legal, technical, and compliance staff need to interact so that AI ingenuity is converged into regulatory requirements.

Conclusion

Cross-border transmissions of AI data under the GDPR is not impossible, but difficult. With good understanding of the regulatory frameworks, operating on high-risk subjects, and adopting good mitigations, organizations can deploy effective AI technologies in immaculate compliance.

Creating AI responsibly involves creating it legally. Now is the time to audit your cross-border data transfer processes, enhance your governance structure, and embed compliance in all areas of your AI work.

The post GDPR Compliance for AI: Managing Cross-Border Data Transfers appeared first on TechGDPR.

Why You Should Attend

Transatlantic data transfers remain a hot-button issue, and understanding their legal, political, and business implications is more critical than ever. This session will provide expert insights into the historical, legal, and strategic dimensions of EU-US data transfers, including:

• Overview of EU-US Data Transfer Mechanisms: A deep dive into Privacy Shield, Standard Contractual Clauses (SCCs), and the evolution of cross-border data frameworks.
• Impact of U.S. Policies Under the Trump Administration: Analyzing shifts in surveillance, national security, and international data flow policies, along with their ramifications for European privacy laws.
• Legal and Regulatory Developments: Exploring key rulings such as Schrems II, the invalidation of Privacy Shield, and how the EU has responded to protect its data sovereignty.
• Business and Compliance Implications: Examining the challenges organizations face when transferring data across the Atlantic, along with strategies to mitigate risks and remain compliant.
• Geopolitical and Diplomatic Considerations: Understanding the balance between national security interests and data privacy, and how these concerns shape transatlantic relations.
• Future Outlook and Strategic Considerations: Predictions on upcoming reforms, potential new frameworks under different U.S. administrations, and best practices for staying ahead in a shifting regulatory landscape.

Key Topics Covered

• The evolving state of EU-US data transfer agreements;
• How businesses can prepare for legal and compliance risks;
• Lessons from Schrems II and other landmark decisions;
• Strategic considerations for navigating geopolitical tensions; and
• Best practices for ensuring secure and lawful data transfers.

This session is designed to provide decision-makers, compliance officers, and privacy professionals with a comprehensive understanding of how past U.S. policies have shaped today’s regulatory challenges—and what the future may hold. Stewart Haynes brings his knowledge as a former information commissioner about what to expect as the regulatory landscape changes with the new US presidency.

Sign Up Now to Secure Your Spot!

Don’t miss this opportunity to gain exclusive insights from a former regulator and a leading privacy expert. Whether you are a legal professional, business executive, or privacy enthusiast, this webinar will equip you with the knowledge needed to navigate the complexities of transatlantic data flows with confidence.

We look forward to seeing you on February 11, 2025!

The post Upcoming Webinar: The Trump Effect on EU-US Data Transfers appeared first on TechGDPR.

Data localization is the practice of storing and processing data within a set geographical space. This is different than data residency which is often used interchangeably with data localization; however, it is slightly different. Data residency refers to the actual location of the servers and other infrastructure used to store and process the data. While data localization includes the concept of data residency, it also incorporates the idea of data sovereignty. Data sovereignty refers to the rights of the legal authority or any entity to exercise control over data within its borders. Data localization is the combination of both data sovereignty and data residency. 

The EU’s General Data Protection Regulation (GDPR) prioritizes strong data protection practices and indirectly favors the storage of personal data within the EU. However, data localization is not a strict legal requirement therein. 

What is required to transfer data outside of the EEA?

The GDPR does specify the need for “appropriate safeguards” for transferring data outside the EU. Articles 44 to 50 of the GDPR detail the requirements for storing and transferring data outside of the EEA, including adequacy decisions, standard contractual clauses, certifications and binding corporate rules as well as when processing activities are exempt from these requirements. 

Standard contractual clauses as described in GDPR Art.46 are legally binding data protection clauses approved by the European Commission. Binding corporate rules (BCRs) as described in GDPR Art.47 internal rules adopted by multinational companies or groups of enterprises for transfers within a group. BCRs serve to ensure all members maintain appropriate levels of GDPR compliance regardless of their locations. If a company decides to rely on BCRs as a transfer mechanism, all its EU-based entities must adhere to the binding corporate rules when transferring data outside the Union. There are also certification mechanisms for transfers; however, these alone are not sufficient for data transfers outside of the EEA. 

An adequacy decision states that a country outside of the EEA provides adequate data protection measures. If an adequacy decision is in place, then no additional data protection safeguards are required. There are currently adequacy decisions with the following countries: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organizations participating in the EU-US Data Privacy Framework) and Uruguay. 

Addressing the US

Many tech companies and third party service providers are located in the U.S. The Schrems II case, in July 2020 invalidated the U.S. Privacy shield, which allowed for U.S.-EU data transfers. This was due to concerns related to data sovereignty. Essentially, the personal data of EU data subjects that was located in the U.S. could be processed and subject to U.S. surveillance, meaning that US laws did not actually provide adequate privacy protection in accordance with the GDPR for EU data subjects. This case made data localization within Europe more common to avoid transfers to the U.S. when possible. 

The GDPR does not mandate data localization, but it outlines strict rules and requirements for processing data outside of the EEA. Storing and processing data of EU data subjects within the EU helps to make compliance with the GDPR easier; however, compliance is not just data localization, data security and minimization are also crucial to consider. 

Understanding Data Practices 

In recent years there has been a growing trend of organizations using third party services such as content distribution networks (CDNs) and cloud storage services. CDNs have become increasingly popular, serving a majority of web traffic, including traffic from major sites like Facebook, Netflix, and Amazon. Server location means where the servers physically are. Large service providers such as Amazon, Google or Cloudflare allow for companies to choose the location of the servers holding the information. While Amazon might be a US entity, information stored in an Amazon server located in Germany for example is subject to German legal requirements on data sovereignty.

In 2021, a report was published revealing that within the calendar year 44% of organizations experienced a data breach, and the majority of these data breaches were due to not properly assessing the risks of third party vendors. Many organizations see the use of third parties as a security risk, but not a high security risk leading to insecure and poor data management practices. It is important to utilize strong security practices such as always sending personal information using TLS and encryption as opposed to directly over HTTP. While location of the third parties utilized is important, arguably it is not as important as the data management practices or security practices implemented by said third parties.

The Global Landscape of Data Privacy and Data Localization

Some countries have stronger data localization laws. In 2017, there were 67 data localization laws; however, by 2021 that number had grown to 144. There is a growing trend towards regulating data localization. The most notable data localization laws effect: China, Brazil, Russia, and India. 

• China has the personal information protection law (PIPL) which has various localization requirements in regards to personal information. It requires companies to store and process data within China’s borders.
• Russia enforces the Federal Law on Personal Data No.152-ФЗ, dated 27 July 2006 (PDL), and updated it in March 2023 to include strict data localization requirements, mandating the maintenance of data within Russia.
• India’s Digital Personal Data Protection (DPDP) Act, 2023, authorizes the Central Government to impose localization restrictions on certain data categories and potentially require storing specific types of personal data within the country.

There are other countries that require data localization, and when processing information about data subjects located in specific countries it is important to be aware of any data localization requirements. Specific industries such as healthcare have regulations that deal with data residency requirements, such as UAE Health Data Law. 

Conclusion

While data localization can facilitate compliance and potentially simplify certain regulatory aspects, based on the GDPR: the ultimate focus must remain on implementing strong, consistent data protection practices. The GDPR prioritizes securing data through comprehensive safeguards, regardless of physical location, and emphasizes mechanisms such as standard contractual clauses, binding corporate rules, and adequacy decisions to ensure protection across borders. There is an increase in a trend towards data localization as more regulations are requiring data residency, and this article does not take into account other possible local regulations. Furthermore, the evolution of global data privacy laws suggests a continuous shift towards balancing data sovereignty with international data flows, underscoring the importance of robust security practices over mere geographic constraints.

Therefore, when asking, “Does server location really matter under GDPR?”; the answer lies in balancing data security and compliance measures, regardless of geographical constraints. TechGDPR can help to better understand how to navigate data privacy regulations and ensure a high level of compliance. 

The post Does Server Location Really Matter Under GDPR? Understanding Data Localization in the Context of Data Protection Compliance appeared first on TechGDPR.

The deadline pertains to the validity of old EU standard contractual clauses (SCCs) issued by the European Commission under the previous Data Protection Directive (the old EU SCCs). Note that the EU has also replaced the old EU SCCs and the last month of their validity was December 2022. If your organisation relies on these clauses for restricted transfers in the UK, they are no longer valid for restricted transfers after March 21, 2024. The ICO has issued 2 sets of standard data protection clauses for restricted transfers under the UK GDPR. Organisations must either enter into a new contract based on the International Data Transfer Agreement (IDTA) or annex the Addendum provided by the Information Commissioner’s Office (ICO).

Standard data protection clauses are pre-approved contracts that organisations can use to ensure personal data transferred outside the UK receives adequate protection.

How to determine if this deadline affects your organisation in the UK

If your organisation transfers personal data outside the UK (restricted transfers), you need to act now if you were previously relying on the old EU SCCs. These old SCCs are no longer valid for restricted transfers under UK GDPR after March 21, 2024.

1. Assess your current restricted data transfers

Review your organisation’s current data transfer practices to ascertain whether they involve restricted transfers under the UK GDPR. Do you transfer personal data from the UK to countries outside the UK? If yes, were you previously relying on old EU SCCs approved under the Data Protection Directive for these transfers? Did you answer yes to both questions, then you need to switch to the International Data Transfer Agreement (IDTA) provided by the ICO. If you answered no to the second question, you may not need to take further action.

Note that in the UK, if you currently rely on the new EU SCCs adopted in June 2021, it is not necessary to sign the IDTA; the ICO allows you to annex the Addendum to your existing EU SCCs. However, if the SCCs are old, you will have to stop relying on them completely.

2. Evaluate existing Agreements

Determine when your organisation entered into the contracts. Contracts entered into under the Data Protection Directive are valid only until March 21, 2024, after which any transfer of personal data out of the UK under such Agreements will most likely constitute an illegal transfer of data.

As an indication, the new EU SCCs were adopted in June 2021, therefore any EU SCC document dated before that would be the old version.

The ICO restricted transfers deadline affects my organisation, what can I do?

The UK Information Commissioner’s Office (ICO) offers two options for compliant data transfers after March 21, 2024.

Organisations in the UK can choose to do either of the following:

1. Use the UK International Data Transfer Agreement (IDTA)

This Agreement is specifically designed for restricted transfers under the UK GDPR.

2. Use the UK Addendum with the new EU SCCs

This option allows you to leverage the new EU SCCs (adopted in June 2021) but requires an additional agreement (the Addendum) to ensure compliance with UK GDPR. If your organisation relies on the new EU SCCs, it will need to annex the Addendum to comply. It will not need to enter into an entirely new agreement. Before annexing the UK Addendum to previously signed SCCs, ensure to check with the other contracting party or parties. This ensures that they are aligned on the additional obligations introduced by the UK Addendum.

3. Conduct a Transfer Risk Assessment:

Regardless of the option you choose, you must conduct a transfer risk assessment. This assessment evaluates the potential risks to personal data in the recipient country. This is a requirement by the ICO.

Conclusion

It is essential for organisations to act proactively. Doing this prevents disruptions in data transfers and potential non-compliance with data protection laws. Not sure about how the required changes impact your organisation or need assistance in navigating the required changes? Get in touch with us. We can carry out a quick assessment and design custom-made solutions to align your organisation with the ICO’s directive.

Generally, we can help your organisation stay ahead of compliance requirements and safeguard the integrity of data transfers in accordance with UK data protection laws.

In summary…

• Review your data transfer practices. Identify all instances where you transfer personal data from the UK to countries outside the UK.
• Determine if you were using old EU SCCs for these transfers.
• If the deadline applies to you, explore the IDTA and Addendum options.

The post UK Restricted Transfers: Standard data protection clauses by the ICO appeared first on TechGDPR.

EU Companies using US vendors for their data

For companies operating within the EU, this adequacy decision eliminates the need for additional data protection measures when transferring personal data to U.S. vendors participating in the EU-U.S. Data Privacy Framework. It streamlines data transfers, allowing businesses to focus on their core operations without being burdened by complex compliance requirements.

If your company relies on U.S. vendors for services or data processing, this decision brings positive implications. The EU-US Data Privacy Framework introduces comprehensive binding safeguards to address concerns raised by the European Court of Justice. These safeguards ensure that access to EU data by U.S. intelligence services is limited to what is necessary and proportionate for national security purposes.

Moreover, the framework establishes a redress mechanism for EU individuals whose data is mishandled by U.S. companies. This includes independent dispute resolution mechanisms and an arbitration panel, providing added assurance to EU consumers and reinforcing trust in transatlantic data flows.

Serving EU Customers from the US

For U.S. vendors seeking to serve EU customers, participation in the EU-US Data Privacy Framework is crucial. By committing to comply with a detailed set of privacy obligations, U.S. companies can demonstrate their adherence to the high data protection standards required by the EU. This includes obligations such as purpose limitation, data minimization, data retention, data security, and responsible data sharing with third parties.

The framework will be administered by the U.S. Department of Commerce, ensuring proper oversight and monitoring of participating companies’ compliance. The U.S. Federal Trade Commission will enforce these obligations, safeguarding the interests of EU individuals and promoting accountability among U.S. vendors.

It is important to note that the safeguards implemented by the U.S. government to protect data privacy will also benefit companies using other data transfer mechanisms, such as standard contractual clauses and binding corporate rules. This provides flexibility and reassurance for companies engaged in transatlantic data transfers, regardless of the specific mechanism they choose.

We encourage companies to familiarize themselves with the details of the adequacy decision and the obligations set forth in the EU-US Data Privacy Framework as this will affect many data setups.

Criticism of the EU-US Data Privacy Framework

Critics argue that the new Trans-Atlantic Data Privacy Framework closely resembles its predecessors, particularly the failed “Privacy Shield” agreement. The fundamental concerns regarding U.S. surveillance laws and the unequal treatment of non-U.S. persons in terms of constitutional rights remain largely unaddressed. The framework’s reliance on the U.S. Executive Order 14086, which includes the term “proportionate” but interprets it differently than the European Court of Justice (CJEU), has raised concerns about the adequacy of protections.

Furthermore, the redress mechanism established under the new framework has been questioned. While some improvements have been made compared to the previous “Ombudsperson” mechanism, the individual’s direct interaction with the newly formed Civil Liberties Protection Officer (CLPO) and the “Court” is limited. Critics argue that this mechanism does not provide true judicial redress, as the response is already known before a case is brought, potentially undermining the effectiveness of individuals’ rights to seek redress.

It is expected that the privacy advocacy group noyb (None of Your Business) will challenge the adequacy decision in court. They contend that the new framework lacks substantial changes and does not address the necessary reforms to U.S. surveillance laws. Previous attempts, such as the “Safe Harbor” and “Privacy Shield,” have been declared invalid by the CJEU.

The potential legal challenge could result in further scrutiny of the Trans-Atlantic Data Privacy Framework. If the case reaches the CJEU, the court may suspend the framework during the review process, leading to a final decision in 2024 or 2025. This uncertainty raises concerns about the legal validity of data transfers conducted under the new framework.

The post EU-US Data Privacy Framework Adopted appeared first on TechGDPR.

On 7th October, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) in order to oversee that the obligations of the US under the EU-US Data Privacy Framework are carried out. The EO is divided into 5 sections consisting of general provisions, definitions, purpose, redress mechanisms and activities of Signals Intelligence.

For the purpose of this document, significant provisions of the EO will be highlighted. To clearly understand the provisions, it is important to first understand what signals intelligence means. Signals intelligence describes a form of intelligence gathering by intercepting electronic signals. In the context of the US, signals intelligence involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials. They then use the information to help protect our troops, support our allies, fight terrorism, combat international crime and narcotics, support diplomatic negotiations, and advance many other important national objectives. 

Legitimate objectives for signal intelligence

Signal intelligence will not be carried out randomly. According to section 2.b.i.A, this type of intelligence is to be carried out only for the following reasons –

1. To assess the capabilities or activities of a foreign government/military/political organization or any entity acting on its behalf in order to protect the national security of the USA and its allies/partners.
2. To assess the activities of international terrorist organisations that pose a current or potential threat to the national security of the US or allies and partners.
3. To assess transnational threats impacting global security such as climate change, public health risks, humanitarian threats, political instability and geographic rivalry
4. To protect against foreign military capabilities and activities
5. To protect against terrorism, taking of hostages conducted by or on behalf of a foreign government
6. To protect against espionage
7. To protect against threats from the development and proliferation of weapons of mass destruction conducted by or with the assistance of a foreign government, organization or person.
8. To protect against malicious cybersecurity threats.
9. To protect against threats to the personnel of the US or its allies or partners
10. To protect against transnational criminal threats including illicit finance and sanctions evasion related to any of the objectives stated in this list.
11. To protect the integrity of government property, US physical and electronic infrastructure and political processes such as elections from activities conducted by a foreign government, organization or person.
12. To advance operational capabilities in order to further any of the reasons stated in this list.

Prohibitions to the conduct of signal intelligence activities. 

The exceptions to signal intelligence objectives are found in section 2.b.i.B of the EO:

1. Suppression of criticism or the free expression of ideas or political opinions
2. Suppression or restriction of legitimate privacy interests
3. Suppression or restriction of the right to legal counsel
4. Discrimination of persons based on ethnicity, race, gender, gender identity, sexual orientation or religion.

It is further stated in the EO that collection of foreign private commercial information or trade secrets to afford a competitive advantage to US companies or the US business sector is not a legitimate objective and therefore, can only be conducted with authorisation and in order to protect the national security of the US or its allies or partners.

The EO provides thus “Signals intelligence collection activities shall be as tailored as feasible to advance a validated intelligence priority and, taking due account of relevant factors, not disproportionately impact privacy and civil liberties.  Such factors may include, depending on the circumstances, the nature of the pursued objective; the feasible steps taken to limit the scope of the collection to the authorized purpose; the intrusiveness of the collection activity, including its duration; the probable contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards afforded to the information collected.”

With respect to bulk collection of signals intelligence, the EO states that when it is determined that bulk collection is necessary to advance a validated intelligence priority, reasonable methods and technical measures shall be applied to limit the data collected to only what is necessary in order to achieve legitimate objectives.

Handling of personal information collected through signals intelligence

The EO also provides for handling of personal information collected through signals intelligence. Elements of the intelligence community handling personal information shall ensure that policies and procedures are put in place to minimize the dissemination and  retention of personal information. The provisions on retention of personal information provides equal level of protection to ‘non-United States persons’ as with United States persons. For instance, under ‘Retention’ in section 2.c, the Intelligence community “shall delete non-United States persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information concerning United States persons would be deleted.”

With respect to data security and access, appropriate protection and the prevention of unauthorized access consistent with applicable safeguards for sensitive information in relevant EOs and Directives are to be ensured.

Worthy of note is the savings clause in section 2.e which states that nothing in the EO shall be construed to limit any signals intelligence collection technique under the Foreign Intelligence Surveillance Act of 1978 as amended (FISA). It should be remembered that one of the considerations for the invalidation of the privacy shield framework was section 702 of FISA. This allowed for surveillance of electronic communication service providers which term is commonly broadly interpreted by the American courts.

Redress Mechanism

Section 3 of the EO provides for the establishment of a process for the submission of qualifying complaints from qualifying states for any covered violation of US law, appropriate remediation where and if necessary, investigation, the establishment of a Data Protection Review Court (DPRC). The designation of qualifying state is dependent on a number of factors under section 3.f.i of the EO, one of which is that the country, regional economic integration organization or its member countries permit or intend to permit the transfer of personal information for commercial purposes between the territory of the country or member countries and the territory of the US. This means the application of the principle of reciprocity. The designation of qualifying state can also be revoked if the countries or member countries do not permit the transfer of personal information for commercial purposes between the countries and the US.

What does this mean for EU-US data transfers?

You are probably wondering how this impacts your business operations and EU-US data transfers. The EO brings a ray of hope as it promises an ease in data flows between the EU and the US. What is important to keep in mind, however, is that an Executive Order in the USA is just that and has no direct effect on EU territory. It is for this reason that the European Commission has published a Q&A on the EU-US data Privacy Framework. 

In this publication, it is stated that the European Commission will take steps to propose a draft adequacy decision and launch the procedure for its adoption. The final adequacy decision will only be adopted after scrutiny by the European Parliament and after which there should be a free and easy EU-US data transfers between the EU and US companies that have been certified by the Department of Commerce under the new framework. 

Until these formalities have happened, nothing is required from businesses in the EU. If you hope to commence data transfers to the US, note that an adequacy decision is not the only way to achieve this. One mechanism adopted by the European Commission for international data transfers is the use of modernized standard contractual clauses which businesses can include in their commercial contracts. In the future, the European Commission has stated that all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Summary

Undoubtedly, the EO appears to be a laudable effort in creating an environment of trust for EU-US data transfers. For instance, the establishment of a Data Protection Review Court is a progressive step because it provides a redress mechanism for so-called qualifying complaints from qualifying states. According to the White House, the provisions of the EO are intended to provide a basis for the European Commission to adopt a new adequacy decision aimed at restoring an accessible and affordable data transfer mechanism under EU Law. 

Despite being a commendable effort, the EO gives with a hand and takes with the other. The savings clause states that the EO does not limit any signals intelligence collection technique authorized under the Foreign Intelligence Surveillance Act (FISA) amongst other laws. 

Furthermore, the process for lodging a qualifying complaint appears cumbersome, especially for non-US persons. This is because the CLPO  will have to first review the complaints and inform the complainant through the appropriate public authority in the qualifying state on whether  a covered violation was identified or not. This means that complainants cannot lodge complaints directly or bring an action before the DPRC. 

After the CLPO has reviewed a complaint, the DPRC (to be constituted by judges selected by the Attorney General in consultation with the Secretary of commerce amongst others) shall further review the decision of the CLPO where necessary. If the complainant applies for a review by the DPRC, an advocate will be selected by the DPRC to advocate regarding the complainant’s interest in the matter (section 3.c.i.E). This brings to mind a latin maxim, nemo judex in causa sua, which means no one should be a judge in their own case. Would an advocate employed by the DPRC really serve the interest of a complainant or that of its master? Time will tell.

The EO is loudly silent on the rights of the complainant. At best, it creates only an ‘[…] entitlement to submit qualifying complaints to the CLPO and to obtain review of the CLOP’s decisions by the Data Protection Review Court[…]’ according to section 5.h. This section clearly states that the Order ‘… is not intended to, and does not, create any other entitlement, right, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.’

On 13th December, 2022, the European Commission published a draft adequacy decision for EU-US data transfers, thus, signaling the start of the adoption procedure for the EU-U.S. Data Privacy Framework following the US Executive Order. According to the European Commission through its official website, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.

Summarily, while the Executive Order is a step in the right direction, it still begs the questions about government surveillance and enforceability of data subject rights in the USA. The coming months will present with interesting events as more processes are put in place to comply with this Executive Order and adopt a final adequacy decision for EU-US data transfers. Until then, it is advisable that businesses in the EU maintain the status quo and continue to limit as much as possible data transfers to the US or rely on lawful mechanisms for such transfers.

The post EU-US data transfers: US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and the impact on organizational GDPR compliance. appeared first on TechGDPR.

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.