The assumption that our online data is easily protected from prying eyes may be a hopelessly naïve one but it appears to have taken until 2015 for the reality to sink in at EU level.
That year saw the striking down of Safe Harbour, the agreement that had for years governed the transfer of data from the EU to the US, by the Court of Justice of the EU (CJEU), followed revelations that Big Tech companies had allowed US authorities to snoop on EU citizens through their services.
Ireland’s data protection commissioner slapped a record €1.2bn fine on Meta
With data transfer estimated to underpin over US$7 trillion in trade between the two economies, it was also clear a replacement had to be found. The search has proved a protracted one.
In 2020, the CJEU struck down the successor to Safe Harbour, the EU-US Privacy Shield Framework, citing similar concerns about the protections it afforded.
Without an overarching agreement, data transfers are governed by complex Standard Contractual Clauses (SCCs), placing the responsibility on individual companies to ensure that EU citizens’ data is processed in the US to the equivalent standard of the EU’s GDPR.
This was a challenge that Meta, the parent company of Facebook, was found to have failed at spectacularly earlier this year as Ireland’s data protection commissioner (DPC) slapped a record €1.2bn fine on the company and ordered it to suspend the transfer of user data from the EU to the US.
The EU and US announced agreement this year on the EU-US Data Privacy Framework
The DPC said that Meta’s use of SCCs ‘did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment’.
Under pressure to find a solution that meets privacy and commercial concerns, the EU and US announced agreement this year on the EU-US Data Privacy Framework (DPF), which, EU President Ursula von der Leyen said, ‘will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic’.
Dubbed Privacy Shield 2.0, DPF hinges on a so-called ‘adequacy decision’, whereby the US ensures an adequate level of protection, comparable to the EU’s GDPR, for personal data transferred there.
‘Financial services institutions will benefit from lessons learnt by the initial participants to the framework’
The limiting of access to EU data by US intelligence services and the establishment of a Data Protection Review Court, to which EU citizens have free-of-charge access to, are key planks of the framework, which came into force on 10 July.
Underpinning its protections is an executive order issued by US President Joe Biden in 2022, which restricts the country’s intelligence agencies to data gathering on EU citizens that is ‘necessary’ and ‘proportionate’.
Time to measure
Financial services companies are not under the remit of the DPF, for the moment at least. According to Michelle Hourican FCCA, director of Datatrails, a company that specialises in GDPR training, audits and supports, this may be a blessing in disguise.
‘Financial services institutions will have the benefit of the lessons learned from the initial participants to the framework before it ultimately expands to include them,’ she says, adding that while the new framework appears to offer a flexible alternative to the previous regime, ‘its success will take at least five years to measure’.
‘Accountants should know where their employees’, clients’ and suppliers’ personal data is stored’
Accounting practices that operate without any notable international dimension may wonder whether the DPF – or, indeed, the issue of data flows generally – is one that should concern them.
Hourican’s answer is emphatic. ‘Accountants should know where their employees’, clients’ and suppliers’ personal data is stored by their outsourced service providers, either within the EU/EEA or in third countries. It’s the law,’ she says. ‘If a practice is storing employee, client or supplier personal data in countries that have no data protection legislation or safeguards in place, they are putting them and their own reputation at risk in the event of a data breach.’
Hourican also stresses that business doesn’t need to be transacted across the Atlantic for third-country transfers to apply. ‘If data flows from the third parties providing services includes data being stored in a server in the US, then your data is in a third country,’ she explains. ‘Do you know, for example, where your financial system or your customer relationship management system hosts your data?’
While the DPF has been broadly welcomed by business and IT groups, this is tempered by expectations of what is to come.
Privacy campaigner Max Schrems has indicated he will challenge the Data Privacy Framework in the courts
Perhaps the most extraordinary aspect of efforts to safeguard EU citizens’ data is the extent to which it has hinged on the efforts of one individual: privacy campaigner Max Schrems. The Austrian first raised concerns in 2013 about Facebook illegally transferring personal data to the US in a complaint to the DPC that was dismissed as ‘frivolous and vexatious’.
His later success in legal challenges to Safe Harbour and Privacy Shield saw the subsequent periods dubbed Schrems I and Schrems II, while he was also behind the complaint that led to Meta’s mammoth fine earlier this year. Schrems has indicated that he will challenge the DPF in the courts, stating: ‘We would need changes in US surveillance law to make this work – and we simply don’t have it.’
The long-term role of the DPF in data transfers between the EU and US will hang on a decision by the CJEU, likely to come in 2024 or 2025. The era of uncertainty on the use of private data for both individuals and industry is set to continue for some time to come.
Read our special edition for SMPs for tips and advice on a range of technology topics