Data Transfer to the US, Why and What EU Companies Must Change in 2022

The legal profession (at least) was content in June 2021, when the European Commission released its long-awaited, updated templates for the Standard Contractual Clauses (SCCs), including General Data Protection Regulation (GDPR) requirements and the Schrems II judgments of the European Court of Justice (ECJ) of July 2020. New SCCs for ensuring a higher level of data protection for EU citizens!

But – what are SCCs?

SCCs are one of the legal tools that allow the transfer of personal data from the EU to third countries (the United States, for example). According to the GDPR, in case of such transfer, legal safeguards must be implemented (SCCs for example) between the data importer and the data exporter.

…And Schrems II?

Schrems II literally means the invalidation of the so-called “Privacy Shield” (a legal tool for the transfer of data between the European Union and the United States).

Indeed, in Schrems II, the ECJfound that US data surveillance laws and compliance requirements for data processors in the United States made it impossible for EU companies to ensure that, once transferred, data for EU individuals in the United States would receive protections equivalent to those in the EU.

Specifically, the court identified Section 702 of the Foreign Intelligence Surveillance Act (FISA) of 2008, Executive Order 12333, and Presidential Policy Directive 28, which allow U.S. intelligence agencies to collect data on foreign nationals, as inconsistent with the rights guaranteed in Articles 7 and 8 of the EU Charter of Fundamental Rights.

Consequences for EU Companies using SCCs

With time, it is accurate to say that the invalidation of Privacy Shield (Schrems II) has created several problems for its users in Europe, especially those operating in the digital market and providing IT services: a different and more onerous regulatory environment.

Indeed, the ECJ has massively increased the accountability on EU companies with new costs, new risks, and an unspoken complexity that is not identified as such.

In other words, any EU company engaging in data transfer to the United States will need to take one of two courses. Either they conduct a regular, comprehensive assessment of the laws and regulations in place where they usually transfer and store data, and determine any changes they need to make (supplementary measures in addition to the SCCs). Or they simply withdraw from this complex transatlantic trade (which is currently strongly encouraged in the EU). The supplementary measures require time, an organized structure, and financial investments – and not all European companies can afford those.

Recommendations?

Pragmatism is key.

1. EU Companies could entirely stop working with suppliers who transfer their data to the US (even if SCCs are in place). Is this risky? Well – yes …
2. It is difficult to prove that adequate supplementary measures are sufficient. This depends solely on assessment by the relevant data protection authority. Is it worth risking fines that range from thousands to millions of euros for GDPR infringement when infringement is avoidable? For example, in Spain, VODAFONE España was fined by the local data protection authority to the tune of €8.15 million for multiple GDPR infringements, including €2 million for an approved international data transfer without taking sufficient measures as required under the GDPR.
3. Convince top corporate management of the risk and offer as a reasonable alternative solution: use only EU providers! This would be a strategic decision.
4. It may not be perfect, but at least, you would do something for your company by showing good faith around the subject of data protection.

Realism?

Do we really think that the US is going to change their domestic surveillance laws to make EU regulators happy? Not likely…

EU companies are in the middle of something that is beyond them, and from my standpoint, this is one more proof that the “data wars” between the EU and the US have only begun.

Meanwhile, EU companies should pay attention: anticipation and reactivity are key elements to avoid collateral damage.

Where to start: A look around

If you’re looking to avoid security issues, then Pentalog can help.

We can carry out a security governance audit where our security specialists inspect your company’s digital assets and processes, then compare your current status to industry standards and best practices.

This audit analyzes architecture, data, and product development from the point of view of security. At the end of the process, you will have in hand a document that highlights the following key points where security is central:

• Personal data handled by the solution
• Potentially sensitive personal data
• Threat modelling and risk analysis
• Security control concerns (authentication, authorization, secure communication, data protection, account protection)
• Web-level security controls (CORS, CSP)
• Device-level security controls (protection of data, secure design of mobile apps)
• Encryption levels
• Where to host or process the data (you or your providers)
• ‘Lift and shift’ suggestions (re-architecture)
• Platform stability and performance issues

Next? A look ahead

Once you know where things can go wrong, once the audit uncovers the points that need attention, then you need to start anticipating and shoring up your defenses before any attacks can begin.

Security today starts by applying and implementing the GDPR regulations and standards. Our services can help make sure that you are ready to support this regulation and ensure full data privacy.

But where we go from there is tailored to your needs and your company. To help make sure that the individual concerns of each team and each company are addressed, Pentalog can onboard an expert Security Engineer in the Scrum Team to help promote a DevSecOps organization.

If you would like to learn more about how to protect yourself, your clients, your data, and your processes, think about bringing us in for a consult. We can help.