The regulatory environment affecting cross-border data transfers continues to fluctuate, leaving many organizations without clear guidance when exchanging customer and employee data. Why?
Because, the European Court of Justice invalidated the EU-US Privacy Shield Framework as an approved mechanism for cross-border data transfer at the end of July, stating that it neither prevented US intelligence agencies from mass-collecting the personal data of EU residents, nor provided effective judicial redress for those whose data was collected.
Dan Frank, principal, Daniel Sutter, senior manager, and Stephen Sharon, manager, all with Deloitte Advisory Cyber Risk Services at Deloitte & Touche LLP, discussed the implications of this latest shift for organizations around the world. I would like to share their views with you, given the fact that the Philippine Business Process Management (BPM) industry continues to expand and is affected by these changes.
Does this decision require a response? What are the risks of inaction?
Frank: “Ignoring the invalidation of Privacy Shield exposes organizations—and any vendor partners that have leveraged Privacy Shield for transferring data—to multiple risks. They may face enhanced scrutiny and regulatory actions by the various EU-based supervisory authorities, for example, or blocking, or suspension, of existing data transfers. Increased monetary fines are possible, as is fallout with vendors and partners, potentially leading to negative impacts on the business.”
What should businesses do now?
Sutter: “Organizations that participated in Privacy Shield should continue to follow the contractual terms to which they are bound. A failure to do so could result in regulatory action related to deceptive and unfair trade practices.
Another step is to catalog data transfers that currently rely on Privacy Shield. If an organization regularly conducts privacy impact assessments, creates data flow diagrams, or uses privacy-enhancing tools, those mechanisms may assist with this task. Simultaneously, it’s a good idea for companies to refer to their data transfer strategies, drafting one if not already documented, to identify other potential data transfer mechanisms, such as standard contractual clauses (SCCs), or binding corporate rules (BCRs), that align to their organizations’ operations.”
What should they do next?
Sharon: “At present, there is no documented grace period. As a result, organizations should migrate to alternative transfer mechanisms expeditiously, suspend data transfers, or risk noncompliance. Implementing BCRs or SCCs can be a complicated and time-consuming process. Historically, SCCs—which support data transfers to third parties—are the more versatile and popular option, but they were indirectly challenged by the recent decision. While still an approved mechanism, organizations should now and in the future conduct due diligence before relying on SCCs.
The fatal weakness that resulted in Privacy Shield’s invalidation is not intrinsic to Privacy Shield, so organizations are encouraged to collaborate with internal affiliates and data processors to determine whether the existing clauses in the SCCs or BCRs provide adequate protections to EU personal data based on their organizations’ operations. Also advisable is determining whether the laws in recipient countries provide adequate protections, including whether they provide a means of recourse for EU residents. Based on what they learn, organizations can then implement additional safeguards and/or data transfer mechanisms as needed.”
How about down the road?
Frank: “In the coming weeks and months, more clarity will be available regarding which countries are deemed to be the riskiest to receive EU personal data, and what kinds of additional legal, technical, and/or organizational safeguards controllers and processors should add. In addition to staying abreast of these developments, organizations should also look ahead and prepare for the following:
The release of updated SCCs, as the current set has not been updated since before the General Data Protection Regulation (GDPR) was announced.
As-yet-unknown implications of Brexit; the EU-UK Withdrawal Agreement expires at year’s end.
Additional data transfer requirements and restrictions, particularly those involving the United States.
The European Court of Justice has stated that the acceptability of transfers going forward will depend in part on the adequacy of the legal, technical, and organizational data protection safeguards put in place by data controllers and processors. The protections afforded by the laws in the recipient country will also play a role in determining whether SCCs or BCRs can be relied upon. The privacy landscape continues to evolve, so organizations should be prepared to update remediation plans as needed.”
What about the APEC Cross-Border Privacy Rules (CBPR)?
Good question. It has to be assumed that the APEC CBPR will be adjusted once the EU and the US are coming up with new cross-border privacy rules. In the meantime, BPM companies in the Philippines, dealing with APEC countries in cross-border data flows, may want to have a look at the APEC CBPR and the certification that is issued by Accountability Agents. Hopefully, the Philippines will have its first Accountability Agent soon.
If you need more information, please contact me at schumacher@certitrust.asia