Data protection regulators in the EU and UK have made significant moves in relation to international transfers of personal data in recent weeks which businesses need to be aware of.
In the UK, the anticipated new International Data Transfer Agreement and Addendum to the EU Standard Contractual Clauses have been laid before Parliament and are expected to come into force on 21st March 2022. Businesses now need to get to grips with these new transfer mechanisms and update their contracts. Contracts entered before 21st September 2022 can continue to rely on the old EU Standard Contractual Clauses until 21st March 2024 unless the processing operations covered by those clauses change and provided reliance on the clauses ensures that the transfer of personal data is subject to appropriate safeguards.
Assessing what amounts to appropriate safeguards though remains a real issue for businesses. This has been highlighted by EU decisions finding that the use of Google Analytics breaches EU data protection laws and even finding the European Parliament in breach of the relevant laws in relation to its Covid-19 test booking website.
Since the invalidation of the US privacy shield back in 2020 the landscape around international transfers of personal data in particular in relation to the US, but also more widely, has been shifting and much uncertainty remains. Businesses are advised to map international data transfers, undertake Transfer Impact Assessments and determine on a case by case basis whether personal data is adequately protected when transferred or what, if any, supplementary measures can be put in place to address any inadequacies. This leaves businesses carrying a heavy compliance burden and a real risk that assessments and actions will be open to challenge.
The decisions of regulators in Austria and France in relation to Google Analytics found that although the data controller and Google had put in place EU Standard Contractual Clauses and various supplementary measures including data encryption, truncating IP addresses and government access transparency reports these were not sufficient to address the (arguably theoretical) risk associated with US laws. Google has, as you would expect, expressed concern about these decisions and is pushing for the US and EU authorities to resolve the issues by agreeing a new framework to allow for legal transfers but in the meantime, it states that it is working on adding additional tools to help customers meet compliance objectives. What, if any, further tools or safeguards (short of avoiding such transfers altogether) will achieve compliance remains unclear.
It is worth noting that the complaints which resulted in the Google Analytics decisions were not directly against Google but rather concerned the website operators’ use of Google Analytics. At the moment, these decisions have not resulted in fines but in the future any businesses which face such complaints could see very significant fines imposed and this is on top of the costs a business would incur in dealing with such complaints and the reputational fall out.
From a UK perspective, these Google Analytics decisions are not binding on the UK regulator, the Information Commissioner’s Office. If the UK took a different view this might been seen as opening up opportunities for the UK market but it could also call into question the EU adequacy decision in favour of the UK and given so many data flows involve the UK and EU it would not solve all of the related issues for businesses operating in the UK.
For now, businesses in the UK, EU and internationally are left making some difficult decisions and trying to minimise risk whilst accepting that risk does remain however diligent they are.
This article is written by Susie Sanusi at Trethowans