Privacy International, LLP

Transatlantic Data Transfers

Data transfers between the U.S. and EU enable about $7.1 trillion in international trade, nearly $700 billion in exports from the U.S. and nearly $500 billion in imports. In 2018, U.S. companies with operations in Europe supplied $490.5 billion in digitally-enabled services, double U.S. digitally-enabled exports to Europe. Similarly, European companies in the U.S. supplied $273.8 billion in digitally-enabled services, double Europe’s digital services exports to the U.S.

Pressure for the U.S. and EU to work together to swiftly finalize a new EU-U.S. Privacy Shield agreement for a transatlantic data transfer mechanism. In response, the EU-U.S. Trade and Technology Council (“TTC”) meeting held Sept. 29 2021 which did not result in any significant progress related to international data transfers.

The TTC did create ten (10) working groups, to include two groups to related to international data transfers, data protection and privacy. They include; group 5 – Data Governance and Technology Platforms and group 6 – Misuse of Technology Threatening Security and Human Rights. The key objectives of these two groups are to attend to technology regulation (social media, AI, big data) and data governance, to create a long-term agreement on transatlantic data transfers.

What is at Risk?

The inability to collect, transfer and use personal data by over 5,300 companies whom have relied on the EU-U.S. Privacy Shield to seamlessly transfer data across borders in order to conduct their business activities. The loss of cross-border data flows would impact over 750 million consumers, an array of essential activities, to include multi-country clinical trials for innovative medicines such as COVID-19 vaccines, cybersecurity threat information sharing, and anti-fraud and anti-money laundering efforts.

Recommended Actions

While the United States is eager to discuss EU-US data transfers, which underpin billions of dollars of digital trade. Europe’s disengagement in advancing these discussions has many companies wondering how to address the data transfer gap, in part due to the European Court of Justice invalidation of the Privacy Shield in 2020.

Companies can reduce the risk related to the loss of cross border data transfers. The first critical step in to complete a detailed data inventory and flow. This activity has many benefits such as, managing individual rights requests, identifying the types of personal data that may trigger notification[1] requirements if breached, and addressing a critical data management requirement for Standard Contractual Clauses (SCCs).

A few additional actions should include:

  1. Enhancement of the Verification Process – key areas include; verifying employee vaccinations, managing customers individual rights (deletion, access, update, export, choice)
  2. Signed attestation: Employee acknowledges employer’s vaccination policy and signs an attestation confirming vaccination status.

Data Breach Plan for Board Engagement – when an organization suffers a significant data breach, the organization’s board of directors play a key role.

The organization’s plan should focus on understanding and communicating:

  1. scope and cause of the breach,
  2. risks or potential harm to the individual,
  3. plan to mitigate the risk,
  4. frequency of updates to the board and outline of information presented, and
  5. management’s actions to fix deficiencies.
[1] to include: (i) taxpayer ID number; (ii) identity protection personal ID number issued by the IRS; (iii) passport number, military ID number or other government-issued ID number; (iv) biometric data; (v) certain types of medical information; (vi) health insurance ID numbers; and (vii) a user name or email address in combination with a password or security question and answer
Privacy International can advise on a broad range of privacy, data protection and information governance matters, to include:  privacy policies, standards and controls, data governance, incident management, regulatory investigations, cross-border data transfers, training programs, internal audits, website privacy notices, data harvesting, and program metrics.