Given the current environment internationally where personal data is moved between countries with different rules, there’s always a tension between those companies that keep data in various different parts of the world versus countries with highly protective regimes (in particular, those in the European Union), that want to ensure that their citizens’ data is protected. Given where some of the servers that store our data are based, this issue could be closer than you think with so many popular Internet services being hosted in places like the US, performing functions such as web analytics and cloud storage services.
An easy example of this would be the recent decision by the Austrian data protection authority that the use of Google Analytics (in that case, by a relatively small organisation) was not compatible with EU data protection laws.
This is significant for two reasons:
- Almost every business in the EU/UK that has a website uses Google Analytics.
- The problem is not only with Google Analytics but with sharing data to the US in general which captures so many other commonly used services that ultimately stores personal data in the US.
There have always been controls on transferring personal data out of the EU. This started in 1995 with the first data protection directive and more recently, GDPR has augmented the restrictions.
You may know the name Max Schrems; he (and his privacy activist group NOYB) have been putting pressure on regulators to enforce the rules more strictly.
In July 2020 the Court of Justice of the European Union issued a decision on the case of Data Protection Commission v. Facebook Ireland.
This held that:
- The EU-US Privacy Shield (a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States) could no longer be used as a mechanism to legitimise transfers to the US. The root of this concern seems to be that the US government could compel a wide variety of companies located in (or storing data in) the US to hand over that data –even if in some cases, the data itself is stored in a different country; and
- Where the Standard Contractual Clauses (a legal mechanism set out in the EU to help businesses in EEA countries transfer personal data to other companies in third countries)(“SCCs”) mechanism was used to legitimise transfers to countries not recognised by the EU to have an adequate level of protection, it was for the party sending to the data to ensure that such a transfer could be compliant with the GDPR. This means that effectively the data controller (the person/entity exercising overall control over the purposes and means of the processing of personal data) would needto confirm for themselves that the data would be adequately protected before transmitting or put in place other protective measures.
Just to further confuse the issue, thereare currently two versions of the SCCs, the EU ones and of course the UK ones, as the UK didn’t adopt the EU version as it had Brexited by then…
From 21 March 2022 the UK SCCs will be replaced by the UK international data transfer agreement. This doesn’t clear up the potential nightmare around transferring data to the US though, with many businesses now with many data protection practitioners thinking it may only be a matter of time until the Austrian ruling referred to above would apply in the UK
Some businesses are limiting transfersto the US to only non-personal data such as business information, and aggregate information that cannot identify the individual and hoping that a new international transfer mechanism can be agreed. The alternative is hoping that the US will change its surveillance laws – good luck with that……
In conclusion, the constant legal developments around international transfers are putting many businesses somewhere between a rock and hard place.
Please prioritise:
- Identifying which agreements need to use the new UK International Data Transfer Agreements and prepare to replace your old documentation.
- Keeping a careful record of your personal data and who you share it with so that you can stop any transfers that are likely to prove risky.
Regards to all,
Roger