13 January 2021 | Marcin Kapuscinski

EU-U.S. privacy shield, our comment

EU restrictions may force US companies to change their data reporting practices. To comply with the new guidelines, companies are likely to adopt more advanced encryption.

Some US-based companies will have to significantly change the way they secure their data to continue working with European companies. This is assumed by the EU project, which contains guidelines for increasing the privacy security of information transferred outside the European Union.

If the new rules go into effect, companies may be forced to follow strict encryption practices and ensure that Europeans’ personal data is not decrypted, if companies transfer this information to the US and other countries outside the EU. According to privacy experts, the guidelines are likely to increase the use of new data encryption methods.

This is an attempt to respond to the ruling of the Court of Justice of the EU, that declared the EU-U.S. Privacy Shield illegal. The 2016 version allowed for transatlantic trade data transfers, but the court ruled that U.S. government surveillance posed a privacy risk and that Europeans did not have sufficient redress in the U.S. legal system.

The EU court also found that companies can continue to apply separate, widely used international data transfer arrangements known as standard contractual clauses, but only with additional safeguards to ensure that data is protected from surveillance.

Łukasz Olejnik, an independent researcher and cybersecurity consultant based in Brussels, stated that “data transfer to third countries is severely limited”.

The European Commission, the EU’s executive body, published a draft amendment to its standard contractual clauses late last year, which are pre-approved contracts, that govern how companies can transfer data to countries outside the EU. The new clauses tighten the requirements for companies that transfer data to business partners abroad.

The draft guidelines would apply to non-EU countries, that do not have a so-called adequacy decision. EU authorities have so far granted 12 countries, including Canada and New Zealand, an adequacy finding, recognizing that their privacy laws are strong enough for companies to be able to transfer Europeans’ personal information there without any special precautions.

Regulators have listed several methods that companies could use to continue moving data internationally without violating the 2018 EU General Data Protection Regulation.The guidelines do not require companies to take specific measures, but state that companies are violating EU law when they transfer without security as strong as their recommendations. On December 21, 2020, public consultations on the above-mentioned project.

The European Commission’s draft standard contractual clauses also includes updates in response to a court ruling in July. Under the draft, non-EU companies would have to inform business partners if any government or intelligence agency made a legally binding request for access to European data.

Companies will have to assess whether the laws of other countries threaten privacy, meaning they will need sufficient and accurate information about foreign laws, said Henri Kujala, Global Privacy Officer at HERE Global BV, a digital map services company. He added that making such an assessment could become more complex if the laws in the countries where the company’s suppliers are located change laws.

Kujala said regulatory support for techniques such as homomorphic encryption and multilateral processing is likely to increase the use of these methods. Homomorphic encryption technology allows you to perform calculations on encrypted data without decrypting it. Multiple processing protection shares data between computers, so they cannot be used to identify a person without additional information.

“For many companies, complying with the new data transfer guidelines would force cybersecurity and privacy teams to work more closely together,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals. encryption rules. Privacy professionals will have to work with security professionals more than ever before. “

 

OUR COMMENT

The maintenance and development of data processing supervision in organizations is a constant process of change management in relation to the dynamically developing needs of data owners.
The pursuit of standardization in the field of data security, including the constant development of cyber-security technology, is already in the genotype of the EU and US structures, and it is a perfectly stabilizing friction mechanism.

There is some work waiting for data controllers who should already make an individual assessment of the level of data protection provided in the context of cross-border data transfers. Now, protection must take into account not only contractual provisions agreed between data exporters and importers, but also legal provisions in a third country, in particular relating to possible access by public authorities of that country to the transferred personal data.

Let us remember, that this is a very fresh sentence. On December 21, 2020, the EU concluded consultations to meet the doubts related to this situation by publishing draft legal solutions that data exporters will be able to use. In other words, there is a judgment but no implementing acts yet and it takes time for national authorities as well as the EDPB (European Data Protection Board) to evaluate this judgment in more detail and provide further guidance on the use of personal data transfer instruments to third countries. – Piotr Zawadzki, COO – Quality at Transition Technologies Managed Services


Marcin Kapuściński, Transition Technologies Managed Services