A recent major ruling in Europe undermines a mechanism thousands of firms use to transfer personal data to the US. This has big implications for sectors such as private banking and wealth management. This article examines the fine details of what is at stake.
Urgently seeking alternatives
Experts are urging organisations to seek alternative transfer mechanisms as a matter of urgency, since although firms were given a three-month grace period when Privacy Shield’s predecessor, Safe Harbor, was struck down in 2015, the authorities are beginning to take a more aggressive approach, such as the Berlin authority which has looked to suspend transfers relying on Privacy Shield.
Standard Contractual Clauses (SCCs) seem to be the order of the day (those either adopted by the EU Commission, approved by it after development by national Data Protection Authorities or negotiated on a bespoke basis between organisations and DPAs). In fact, Ross McKenzie, partner at law firm Addleshaw Goddard believes most firms working under the Privacy Shield would also have SCCs in place as a back-up “because we knew this might happen”.
As McKenzie observes, there was actually much cause for rejoicing in the fact that the ruling upheld the validity of SCCs.
“That piece was most worrying because we could have seen the European Court of Justice potentially unpicking the thread that holds our global tapestry of data protection transfers together,” he says. “We would have had the worst of both worlds, where you don’t have a transfer mechanism and you don't have a solution. It’s been a positive result in the sense that it gives some commercial common sense to the situation.”
Devil in the detail
However, there is devil in the detail of how the ruling dictates that SCCs should be approached which experts have been quick to point out. “It clearly says, 'We're not happy with the US systems, so the data protection officer is now being expected to effectively audit data transfers to global businesses,” says McKenzie. “And they're now expected to suspend transfers if they suspect the legal system of another country can't support the contract and the rights of individuals.” He added that SCCs always had this requirement, but SCCs are often not scrutinised.
Another, ambitious, option is for multinationals to develop Binding Corporate Rules unilaterally imposing GDPR standards for intra-group transfers. With an extensive list of requirements and lengthy negotiations with multiple DPAs necessitating hefty legal fees, these are not for the faint-hearted. However, as McKenzie observes: “BCRs haven't been scrutinised by the European Court of Justice because they are viewed as a much higher standard, so that is a positive message.”
Firms that decided to make the investment have experienced a “halo effect”, he confirms, but BCRs are as vulnerable to scrutiny as other transfer mechanisms since they often depend on SCCs for transfers outside a company group. It seems that this is far from the end of the EU’s crusade against jurisdictions which it sees as offering inadequate data protection safeguards; experts are now calling for political solutions to what seem to be intractable issues often based on constitutional issues. Wrangling over Brexit and data protection promises to be particularly noxious, many warn.
Further guidance incoming
In the short term, data controllers and processors anxiously await guidance from their respective DPAs (it should be noted that the US Department of Commerce is still holding firms to their Privacy Shield commitments on pain of data deletion). There are a number of practical steps responsible data controllers should be taking right now however, says Lorimer: “Firstly, review your Records of Processing Activity and supply chain to understand your personal data processing. Where are transfers taking place? Where do your third parties store your data?
“Next, assess the impact of those flows on compliance and contracts. Do you need to use SCCs in place of Privacy Shield? Where are there gaps and risks? Is your data in an adequate location and being protected by the appropriate technical and organisational measures?”
As she highlights, the spirit of the GDPR is imbued with the accountability principle. So, despite wealth managers increasingly operating via a complex web of data transfers both internal to groups and to third parties, they must get clarity and maintain it.
“It might seem like a large piece of work, but when it comes to your data flows it's vital to understand the full picture to remain accountable and to know what guardrails your contracts provide,” Lorimer concludes. “In light of this ruling it should be right at the top of firms’ to-do lists.”