Data transfers: the way forward

European regulatory initiatives, such as the EU-U.S. Data Privacy Framework, have made safeguards for data transfers a hot potato. Martin Folke Vasehus from ComplyCloud shares his insights and advice on international data flows.

The recent EU-U.S. Data Privacy Framework, which aims to ensure that data can flow safely from the European Union to companies in the United States, has again put the topic of data transfers high on the agenda. “The EU-U.S. agreement is a result of the EU Commission’s attempt to solve the headache stemming from the landmark ruling in the Schrems II case, which annulled the Privacy Shield that enabled the transatlantic data flows.”

Data Privacy Framework

In 2023, the European Union adopted its adequacy decision for the Data Privacy Framework, concluding that the US ensures an adequate level of protection – comparable to that of the EU – for personal data to be transferred from the EU to US companies. “The agreement has spurred fierce discussions on international data transfers”, reflects Martin Folke Vasehus, CEO, founder, and IT lawyer at ComplyCloud. ComplyCloud is a Danish legal tech company that combines state of the art software with a team of leading privacy and IT lawyers to support organisations to achieve and maintain GDPR and IT security compliance.

Risk-based and proportionate

“The conversation about the EU-U.S. Data Privacy Framework has become highly politicised. There’s much debate about the risks of US public authorities and intelligence agencies using European citizens’ personal data for criminal law enforcement, national security purposes and espionage,” notes Vasehus, who is a keynote speaker at the Data Protection & Privacy Conference 2023 that takes place in Amsterdam on September 28 and 29. “But how do we measure these risks while ensuring a risk-based approach to data protection and proportionality? And what are the options for European companies that are using international IT suppliers, given the fact the vast majority of tech firms are based in the US, or affiliated with a US company?”

“Keep in mind that compliance with the GDPR is meant to be risk-based and proportionate”, Vasehus emphasises. “The GDPR imposes human rights to data subjects: individuals have a right to privacy. But in the discussions on the interpretation of the GDPR, the protection of data rights tends to be contrasted with enterprises’ costs for compliance. We should work towards a balanced approach.”

Working with legitimate law

While Vasehus is positive about the introduction of the EU-U.S. Data Privacy Framework, he is concerned that companies that consider making use of it will be stigmatised by some. “US companies will be able to join the framework by committing to comply with a detailed set of privacy obligations. Some critics are saying that the agreement is merely a temporary loophole that companies will use to escape GDPR obligations. They predict that there will be another Schrems court case and that the EU Commission will once again lose.”

“Irrespective of political views, I think it’s important that the EU-U.S. Data Privacy Framework is recognised as legitimate law, as the opposite situation will entail loss of trust in the democratic institutions creating our laws”, asserts Vasehus. “We can’t simply set aside the framework out of the fear that someday it may be annulled in a court case. We need to work with it, and to develop practical tools and risk-based approaches to hedge against changes in the law – as we should with any other legal act.”

Data Transfer Impact Assessments

Organisations that seek to transfer data from the EU to other countries are required to examine and to assess that there is “an essentially equivalent level of protection” in the recipient country. Data Transfer Impact Assessments are a tool to determine exactly that, within the legal frames set out by the European Data Protection Board. “For countries that are considered safe, a Data Transfer Impact Assessment can be executed relatively quickly. For the unsafe third-countries, it can be more tricky to conduct an assessment as it requires a review of national applicable rules and case law.” The ComplyCloud software has business logic taking into account legislation and case law for sixteen unsafe third-countries, in order to enable users to complete a TIA in approximately 30 to 60 minutes.

Transparency for privacy

According to Vasehus, a major issue for the future of data transfers concerns the clarity of legislative initiatives. “Currently, if you ask five different law firms about the criteria for using an IT supplier from the US, you will receive five widely different replies. When regulation is open for discussion in such an extent, it must be questioned if it has the necessary clarity. If it lacks clarity, it is in conflict with the rule of law and a problem for the trust we have in the public institutions issuing and enforcing our laws. What’s more, since the introduction of the GDPR, the business world has spent a significant amount of money on legal advice just to understand the obligations – not to do shortcuts or use loopholes. Not all those investments are proportionate. In many cases, the money could have been better spent on, for instance, security measures that support data protection.”

“Transparency is key to take the next step in data transfers”, says Vasehus. “We must require from our legislators and DPAs that they apply a unanimous and transparent interpretation of the rules and obligations that can be understood by the average EU organisation. I hope that, as privacy professionals, together we will stand up for realistic guidance and full transparency on the practical implications of the rules.”