There is a problem with data security law in the EU and US. The problem is that enforcement and legislative procedures are local to a particular country. So, while GDPR may well be a strong deterrent to the illegal use and incorrect storage of data here in the UK, if that data is then transferred to the US, it effectively comes under the constraints of a new legal structure in the USA. The problem is that these two structures differ in some key areas when it comes to accessing personal data. In the case of a large number of transatlantic companies, the way they conform to secure transfer of data could very well be about to change.
In fairness, we are speculating somewhat in the article. The size of these decisions and the speed at which changes happen at this level means there is probably not going to be an immediate issue. That said, the potential problems caused for the UK transatlantic and EU data flow are numerous and, like a small ripple, can be a big wave when it reaches the shore, a change to the EU/US protocols could have a significant impact on compliance in the UK.
To cut a long, rather complex story short, in 2015, a protocol for securing EU data privacy in the US, known as the ‘safe harbour agreement’, was deemed invalid by the European Court of Justice. It did not offer enough protection. As a result, a new agreement known as The Privacy Shield Framework was negotiated. This was designed to ensure that the same level of data privacy was applied in the US as was applied in the EU. The purpose was to protect the personal information and other sensitive data of EU citizens from the less strict US laws. The United States privacy law differs from EU law in several key areas, such as how the US government gathers data for intelligence purposes. Some of these activities contravene the EU perspective on the lawful obtaining of this data. While the Privacy Shield was constructed around the protection of personal data, the US law was not changed. This potentially allows the US government and business to access EU citizens personal data, in a way unacceptable to the European Union, once the data flow included a US institution.
Privacy activists were not happy about the Privacy Shield, arguing that without legislative control, it really wasn’t a shield as such, more a set of guidelines and that personal data was at risk of being stored and exploited in ways beyond the control of the owner. In July last year, the European Court agreed and declared the privacy shield invalid.
In response last month, the EU and US issued a statement committing to:
‘…intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case.’
The announcement is a step towards a further, hopefully, more robust agreement on data privacy between the US and the EU.
So, what does all this mean?
Well, to cut through the high-level discussions and political rhetoric, what it comes down to is that without agreement on how data is stored, accessed and used, international data flow becomes a pretty difficult area. Initially, this will probably have the respective lawyers rubbing their hands over the overtime forms, but it could change how the transatlantic data flow is processed. That, in turn, affects the way your data is stored by a few minor players in the data arena, such as Amazon, Google, Microsoft and many others. Therefore, the repercussion could influence trade in the long term because, should the US not be able or willing to comply with the stricter EU privacy laws, it could result in the EU only storing data for their citizens, which is expensive and will drive prices accordingly.
Bringing it down to a more local level, there is a further consideration. These data protection protocols were created by the EU and US. Britain is no longer part of the EU, and therefore, while we adopted the initial version of the data protection for the transatlantic data flow, we will not necessarily adopt any further changes. There is, therefore, the distinct possibility that we would need to negotiate our own, new version with both the US and now the EU. With governmental policy seemingly focused on maintaining the often quoted ‘special relationship’ with the US, we may look to accommodate them by continuing down the Privacy Shield framework style route. This would have lower security requirements for dataflow than required by our neighbours in the EU. If this happens, then we could see problems with maintaining data flow with the US and EU at the same time.
Again, this may not initially seem particularly concerning for many smaller businesses in the UK but consider the problem caused by a US-friendly protection framework that does not work for a multi-site EU/UK business. Suppose European businesses were unable to comply with their own data protection requirements when adopting a data flow between the EU and the UK. In that case, the implications are multiple and concerning for everything from logistics to banking.
Whether all this will come to pass is yet to be seen. The differences between EU and US law on the very core of what is considered ‘private data’ are fundamental. From the UK point of view, in a post-Brexit economy, with the UK reaching out to other, less data secure markets, it is conceivable that we could re-write our own protection to free up trade with countries in the South Asian markets as well as the US. That would mean lessening the restrictions on several points of data security which are currently at the core of the new discussions between the EU and the US.
These restrictions on personal data storage and access are also fundamentally part of the core requirements of GDPR. This, in turn, could potentially mean that the UK legislative process and what constitutes data security could be slated for review. If that happens, we will probably be looking at new policies and procedures.
Intensifying Negotiations on transatlantic Data Privacy Flows: A Joint Press Statement https://ec.europa.eu/commission/presscorner/detail/en/statement_21_1443?mkt_tok=MTM4LUVaTS0wNDIAAAF8CVBrR6vRgczTETTyNTjjo6SRMzYcNUMpqDTWgIY8Ezfkt4tpWqTgj4-1tm_qTqJP6k6ddY3L5-K0vhsrYl1OSammbvk6D7et326YLCFzT6qU