Allow me to highlight latest movements in Europe regarding cross border data flows and data privacy protection. I am using an update provided by the Wall Street Journal—WSJ PRO—in its CYBERSECURITY Section. Regulators and courts are asking for proof of how companies protect data that leaves the EU, going to the US but also to other parts of the world, including the Asia Pacific Economic Cooperation (Apec) and—with that—the Philippines.
More frightening, European privacy regulators and courts are looking into how companies transfer personal information to the US and have ordered suspensions of some data flows.
To be more specific: Portugal’s data protection authority last week required the country’s statistical institute to stop sending personal information to the US from Portuguese residents filling out the national census, after determining that there weren’t sufficient privacy safeguards in the institute’s contract with California-based cloud security and infrastructure provider Cloudflare Inc.
The decision is the latest move by European officials to clamp down on how companies transfer data from the European Union abroad following a ruling last July from the bloc’s top court. The ruling demanded additional privacy protections if businesses move data outside the 27-country union. Regulators around Europe are looking into similar data-transfer issues, and privacy advocates have filed lawsuits to try to force companies to keep personal data from entering the US.
Portugal’s regulator received about a dozen complaints related to how the statistical institute collected personal data for the country’s census and ordered the institute to stop sending data to the US within 12 hours of its decision, said Clara Guerra, a spokeswoman for the authority.
“It was an immediate risk for data subjects. We’re talking about the whole population of residents in a country,” she said. Census respondents provided their full name and could opt to answer questions about their health and religion, she said. Those two issues are considered especially sensitive types of data under the EU’s 2018 General Data Protection Regulation, the bloc’ strict privacy law.
Ms. Guerra said it didn’t matter if the statistical institute actually transferred data to the US but doing so was possible under its contract with Cloudflare and there weren’t protections to safeguard Europeans’ rights.
Cloudflare said in a news statement that the institute didn’t transfer any personal data to the US. The institute stopped using the technology company’s services, said Alissa Starzak, Cloudflare’s head of public policy. The Portuguese statistical institute didn’t respond to a request for comment.
Ms. Starzak said that after the EU court ruling last July, Cloudflare customers requested safeguards such as guarantees that their data wouldn’t leave the union. The company introduced services shortly after the ruling that made it easier for customers to control where their data is stored. Some opted for safeguards that are stronger than those privacy regulators recommended, such as ensuring data won’t leave a jurisdiction, she said. “Nobody wants to be the entity who is targeted.”
In Bavaria, Germany, the privacy authority asked a company what safeguards it used to protect e-mail addresses from individuals who received a newsletter operated by Rocket Science Group LLC’s Mailchimp, a marketing technology company based in Atlanta.
The company that used Mailchimp stopped using the newsletter service, a spokeswoman for the authority said. She declined to name the company. Mailchimp declined to comment.
The EU court ruling in July prompted companies to assess whether they can continue transferring data to the US, and also led privacy advocates to file lawsuits seeking to stop data from traveling out of the EU.
A group of 169 French drivers for Uber Technologies Inc. filed a lawsuit in February in the country’s top court asking for the ride-hailing company to stop sending drivers’ personal information to the US.
“This data can be used by any US authority without any control,” Jérôme Giusti, a lawyer representing the drivers, said in an e-mail. An Uber spokesman said, “We do not share our users’ personal data for commercial purposes without an appropriate legal basis, or sufficiently aggregated not allowing identification of our users.”
More scrutiny of trans-Atlantic data transfers is likely, Mr. Ustaran said. The privacy regulator in Hamburg, for example, audited companies and government offices asking about safeguards they use to protect any data that might travel to the US, a spokesman said. Some adjusted their data-transfer methods, and the regulator’s office is continuing to send questionnaires to companies about how they protect data leaving the EU, he added.
Philippine BPO companies have already done much to protect data flows and to demonstrate compliance to privacy regimes both here and abroad. It would be good if the compliance efforts of these companies can finally be given recognition with an internationally accepted seal such as the Apec Cross-Border Policy Rules or Privacy Recognition for Processors.
The message is clear: the National Privacy Commission has to get its act together to demonstrate to the world that cross border data flows from the Philippines to the EU, the US, to Apec countries and many other destinations are protected.
I look forward to your responses; email me at hjschumacher59@gmail.com