European countries are displaying a growing level of mistrust over the way the United States handles sensitive data transferred across the Atlantic.
The EU-US Privacy Shield’s days have looked numbered ever since the European Court of Justice agreed that it fails to protect EU citizens’ data from possible government snooping in the States.
Since that summer ruling, Israel has announced it will no longer use the ‘shield’, which was set up in 2016, while Ireland’s data watchdog made a preliminary order to ban the sharing of EU data with the US.
This decision failed to prompt a ‘like’ from Facebook, instead leading the angry social media giant to threaten pulling out of Europe altogether.
And this has merely stoked fears of a trans-Atlantic privacy trade war with the big problem being that the United States does not have its own version of GDPR (General Data Protection Regulation).
The growing sense of mistrust towards US companies in handling sensitive data was also evidenced in a survey among British internet users by YouGov, where the results showed the level of scepticism had grown from 35 per cent in 2015 to almost 75 per cent last year (73%).
In delivering its summer verdict, the European Court of Justice said: “The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred.
“The limitations on the protection of personal data arising from the domestic law of the United States… are not circumscribed in a way that satisfies requirements.”
Europe now requires companies to sign non-negotiable Standard Contractual Clauses which are already being used by some major companies including Microsoft.
But even these new measures look set to hit problems in the near future.
Data protection expert Tim Turner warned: “If the law in the relevant country – let’s say the USA – could override what the contract says, they don’t work.
“It’s hard to imagine that any European regulator would say that SCCs work for the US, and the pressure will pile on for them to make the assessment. I don’t think SCCs escaped the court’s judgement – for some key countries, it’s probably just a stay of execution.”
For businesses who previously relied on the EU-US Privacy Shield then the Information Commissioner’s Office has advised that you take stock of the international transfers you make and react promptly as guidance and advice becomes available.
In the meantime, when transferring data internationally, you should conduct a risk assessment as to whether SCCs provide enough protection. The data recipient may be able to assist with this.