Finding an answer to the legal limbo of transatlantic data flows

Dec. 2, 2020
The impasse over cross-country data flows between the U.S. and E.U. highlights the lack of trust between very different policy regimes

On Nov. 19, four months after the European Court of Justice’s Schrems II ruled to invalidate Privacy Shield because it didn’t comply with its citizens’ privacy rights – the European Data Protection Board (EDPB) presented recommendations to facilitate how companies that transfer data from the European Union to the United States can comply with the ruling. While these recommendations on supplementary measures were needed and highly anticipated, they are not a “catch-all solution” for data exporters. Companies still face many challenges. 

A State of Cybersecurity Legal Limbo

For decades, the free flow of data between the United States and the European Union has been a cornerstone of trans-Atlantic digital commerce. Transatlantic data flows account for more than half of Europe’s data flows and about half of U.S. data flows globally. With the abandonment of Privacy Shield, and before that, Safe Harbor, companies are no longer protected from liability over those data transfers. This decision makes the existing EU-US Privacy Shield framework completely void as a valid mechanism for the data transfer and makes day-to-day operations of these global companies more complex – regardless of whether they’re U.S.-based and have operations in the EU, or EU-based and have operations in the U.S.

Ultimately, the impasse over cross-country data flows between the U.S. and E.U. comes down to a lack of trust between very different policy regimes. Persistent doubts about the protection of this data in the hands of governments show no signs of subsiding and have grown so deep as to threaten economic relationships worth trillions of dollars. Adding even more complexity to this equation is the fast-approaching final transition toward Brexit, an event that could further limit legal options for sending and receiving data between the regions. 

With regulators on both sides of the Atlantic heading back to the regulatory drawing board, thousands of multinational organizations are now in legal limbo.

The Status Quo Won’t Cut It

A replacement for Privacy Shield – once heralded a substantial privacy guardrail enforced by the U.S. Federal Trade Commission and the U.S. Department of Transportation – will materialize at some point, but when is unclear. Until a new policy solution is in place, the operating status quo during this waiting period won’t mitigate the legal and reputational risks companies now face.

Simply put, companies must create and sustain their own data security life ring until this fog of uncertainty lifts – and well beyond, because it’s likely this won’t be the last clash over how data is handled. The current absence of a federal data protection law (equivalent to GDPR) in the U.S. should also further compel companies to take matters into their own hands. Organizations must act now to find their sensitive data, wherever it is, and secure it.

The EDPB recommendations highlight two technical actions companies can take now which include using encryption and specific key management practices to ensure compliance with the EU level of data protection of personal data. These should be included as part of a broader data privacy trust framework that includes the following principles:   

Perform careful mapping of international data flows

  • Perform a risk assessment for each of the countries where the data is being transferred to

Follow GDPR guidelines

  • Proactively and continuously monitor data stores for GDPR sensitive data

Discover, protect and control sensitive data

  • Discover your data wherever it is and classify it. That way you know what data you have so you can apply the appropriate security measures as outlined by GDPR.
  • Protect sensitive data in motion and wherever it is stored using encryption. Encrypting network traffic and data in the cloud and data centers ensures that no one can read the data.
  • Control access to the data by creating, storing and managing the encryption keys in the country of the origin of the data. That way, you own the keys, not the cloud provider and no government can access the data.

The handling of data by U.S. companies has never been under closer scrutiny. All eyes are on the actions, or the lack thereof, of companies riding out this impasse. Compliance audits will ultimately reveal those that took immediate steps to protect data privacy and help build a future we can all trust.

About the author: Sebastien Cano is the SVP for Cloud Protection & Licensing at Thales.