Blog > September 2020 > How Change to EU-US Data Transfers is Leaving Global Companies in Legal Limbo

How Change to EU-US Data Transfers is Leaving Global Companies in Legal Limbo

Personal data flows between countries as ubiquitously as dollars and euros. This bountiful data stream was abruptly dammed up this summer following a surprise ruling by Europe’s top court nullifying the EU-US Privacy Shield (aka “Schrems II). More than 5,000 companies use this trans-Atlantic agreement to comply with GDPR as they move data between the European Union and the United States, creating legal limbo for businesses that need to move digital information seamlessly around the world. A similar Swiss-US Privacy Shield was also recently struck down.

As a result of the change, corporations will need to review their data residency and sharing practices to comply with the system of Standard Contractual Clauses (“SCCs”) on a case-by-case basis. 

Can U.S. companies still transfer personal data from Europe?  It’s complicated…

Following this landmark ruling, ensuring the secure flow of data from the EU to the US (and the UK, following Brexit) will be a significant challenge, given the lack of an international regulatory framework for data transfers, as well as emerging conflicts between competing data privacy regulations.

The verdict applies to any company that: 

  • is an integrated affiliate of a US company, such as Facebook, Amazon, Twitter, etc.
  • relies upon US-based storage or processing services, regardless of where the data itself is processed

The ruling affects big tech companies like Google, Facebook and Amazon, as well as thousands of other global businesses. Legal experts say the data subject to transfer rules includes emails, social media posts, financial records, business files, HR info about employees, marketing databases and customer records.

Thus, the application of Schrems II is extensive and impedes access to a large number of activities including processing data using the infrastructure of major cloud providers. In addition to data transfers, this ruling also impacts the use of AI, machine learning, cloud-based analytics, data sharing and enrichment.

There is no grace period for this new ruling and fines for GDPR violations can exceed $50 million, or 4% of annual revenue.

Can SCCs be used instead? Maybe…

The CJEU also determined that Standard Contractual Clauses (SCCs), which enable private parties to transfer data from European data controllers to non-EU data controllers and processors, can continue to be used, but only if acceptable “supplementary measures” are applied to the data to ensure compliance with EU data protection laws. But it’s not that simple. US companies fall under the Foreign Intelligence Surveillance Act (FISA) jurisdiction, which enables government agencies to access personal data without a warrant, rendering SCCs invalid.

To comply, companies must individually review each of their personal data transfers to determine whether the law in the non-EU country complies with EU protections for personal data transferred under SCCs. For cases in which data protection is inadequate or unclear, companies must provide additional controls, suspend or even terminate transfers.

Additional clarification on data transfers is expected from the European Commission, as well as other regional data protection authorities.

ASG Data Intelligence supports data privacy compliance, come what may

As privacy regulations proliferate, compliance responsibilities continue to expand as new regulations are proposed and requirements become increasingly complex. Regardless of the challenges, the questions are always the same:  what data you have, where it’s located, and how is it being managed. With these challenges in mind, you can be confident in your compliance with new and emerging Data Privacy regulations when you take the proper steps to prepare your business. Reducing the risk of non-compliance and gaining confidence in the data you have will save you time and money.

Our Data Intelligence solution can scan through your data estate and report the origins, movement and flow – the lineage – of data.  Content Services Platform, our policy-driven content services solution, manages the lifecycle of personal data, while also capturing and managing proof of an individual’s consent.

Capabilities from ASG meet critical areas of the GDPR, CCPA and other privacy regulations:

  • Automated PII discovery and classification
    • Accelerate the discovery of where personally identifiable information (PII) and other sensitive data is referenced.
  • Governance, policies, and classifications
    • Establish data management best practices for privacy compliance. Document overview of terminology, policies, and approved data sources so that everyone within the organization can operate from a standardized data governance process.
  • Automated data lineage
    • Graphically maps flow of PII from its origination in legacy platforms to its final point of consumption.  Intelligent lineage delivers both vertical and horizontal views, offering a tangible connection between technical metadata tied to business context, governance policies, data sources, data processing origins, impact assessments and third-parties impacted by the EU’s new ruling.  
  • Information governance and data management
    • Meet reporting requirements, assess compliance readiness and track your company’s progress in adapting your data residency and data sharing practices

With ASG, companies can more easily comply with new and emerging global privacy regulations. By looking at this transition as an opportunity to transform enterprise data intelligence and put in place processes needed to clean, understand and trust data, your organization can future-proof your data and adeptly address changes. And with better understanding and usage of your data, you can adroitly exploit new opportunities enhance operations, deliver greater value to customers and gain competitive advantages.