Tech

The demise of Privacy Shield may be the end of US-Europe data transfers

Tools used to shuttle digital information out of Europe are stuck in legal limbo. Now companies are considering the once-unthinkable: limiting the flow of data out of the bloc.

After the EUs top court last month struck down a second transatlantic data protection agreement, called Privacy Shield, in five years, businesses on both sides of the pond have been quick to call for a swift replacement, rallying around the concept of frictionless data that has undergirded the internet since its inception.

But the annulment of Privacy Shield suggests the tide may be turning on the idea of a truly borderless internet.

European regulators are increasingly speaking out in favor of keeping data stored inside the bloc. And while the Continents landmark General Data Protection Regulation (GDPR) has provided a template for privacy rules in other parts of the world, so too have Chinese-like restrictions on data flows — in India and Brazil, both GDPR-like laws and local data storage requirements are in the pipeline.

While it remains to be seen exactly how EU watchdogs will interpret the Privacy Shield ruling, a growing number of companies are not waiting to find out — and proactively taking the decision to keep their data in the bloc.

“We used to tell our clients not to worry about where to store their data because data export mechanisms allow for a lot of flexibility, but weve done a complete 180”— Anonymous lawyer representing large tech companies

In 2018 cybersecurity firm Kaspersky began storing data from Europe and North America in Switzerland to ward off privacy concerns. Digital wallet provider Dashlane has stored user data in Europe since its launch in 2012 because founders believed that high data protection standards would appeal to its customers.

Peter Yared, whose firm InCountry helps companies comply with local data regulations, told POLITICO that data localization requirements are increasingly factored in by clients, especially those with a global footprint. “From our customer conversations, we think … companies with a global mindset … are setting themselves up for a future of tighter digital data regulations,” he said.

Those companies may well become the precursors to a stampede. A lawyer who represents large tech companies — and who asked to speak on condition of anonymity to discuss confidential matters — said they now advise some clients to consider compartmentalizing data in different regions.

“We used to tell our clients not to worry about where to store their data because data export mechanisms allow for a lot of flexibility, but weve done a complete 180 and tell clients to consider storing data locally first. Its not because of the Schrems II ruling per se, but it seems that increasing restrictions on data flows is the way the world is going and this will help clients future proof their compliance program,” the lawyer said, referring to the annulment of Privacy Shield earlier this month.

Germany leads charge

While the EUs top court struck down the Privacy Shield over fears of U.S. snooping, it upheld the legality of instruments used to export personal data all over the world called Standard Contractual Clauses (SCCs).

But an apparent endorsement of SCCs came with hidden barbs: The court stressed that it was up to companies and data protection regulators to check if transfers done using those instruments adhered to Europes high data protection standards.

In a sign of the legal headaches to come, Europes grouping of data protection authorities said an assessment of whether data exports using SCCs were legal would have to be done on a “case-by-case basis”, raising the prospect of companies having to do a painstaking analysis of foreign surveillance regimes whenever they want to send data abroad.

Regulators in Germany went further, with Berlins data protection regulator calling for data stored in the U.S. to be relocated to Europe and the watchdog in the state of Baden-Württemberg telling POLITICO that SCCs as they stand are now largely unsuitable for exporting data out of Europe. A joint statement by all of the countrys privacy regulators later said that SCCs for U.S. data transfers without additional safeguards were “generally not sufficient.”

Calls for data localization — especially from privacy-conscious Germany — are not new, but this time could be different. Digital sovereignty has emerged as a top priority for Europes top policymakers, who have thrown their weight behind projects like Gaia-X, an initiative aimed at boosting the blocs ability to store data on the continent.

Local data storage requirements are also in vogue. China and Russia are high-profile adherents to the policy, but restrictions on data are popping up all over. India and Brazil, under strongmen leaders Narendra Modi and Jair Bolsonaro, are also leaning toward data localization requirements, while countries like Vietnam and Malaysia have similar rules. Western allies like Australia and some Canadian provinces have restrictions too.

The EUs top court struck down the Privacy Shield over fears of U.S.Read More – Source