With All Eyes on International Data Transfers, Five Tips to Stay Compliant
In Europe, regulatory scrutiny over data flows from EU member countries to the U.S., U.K. and other non-member jurisdictions is picking up steam. The Schrems II ruling is serving as a primary driver, arming EU data protection authorities (DPAs) with a new platform for enforcing GDPR.
In September of last year, on the heels of Schrems II, the Finnish DPA began sending inquiries to companies about their data transfers to the U.S., and Max Schrems’s watchdog organisation, NOYB has also been active in initiating compliance checks on various companies across Europe. More recently since February, more European DPAs have followed suit, in an effort to actively enforce Schrems II, including the German, Portuguese and French DPAs.
In parallel with enforcement activity, regulatory developments surrounding cross-border data transfers continue to gain momentum since the Schrems II decision was handed down. To date we have seen the invalidation of the Swiss Privacy Shield, new draft Standard Contractual Clauses (SCCs) and growing adequacy talks between the EU and non-member states including South Korea and the U.K.
These developments are adding fuel to an already burning fire. Even before Schrems II as enforcement started gaining momentum, organisations were bracing for an uptick in regulatory activity. In the recent FTI Consulting Resilience Barometer®, a global survey of more than 2,000 corporations, 69% of respondents said regulatory breaches or investigations are spiking now or will in the next six to 12 months. More than one-third said they strongly agree that this regulatory uplift will make business more complicated.
In this climate, a reactive stance is not a viable option. Below are five key considerations for organisations looking to get in front of these risks and bolster compliance around international data flows.
- Be prepared for more EU DPAs to begin flexing their regulatory muscles. In the coming weeks and months, regulators in more EU countries should be expected to continue to follow Finland’s lead in enforcing Schrems II. Regulatory efforts will be strengthened by NYOB’s independent work to expose companies that are not in compliance.
- Remember to address data transfers relating to M&A activity. In 2020, a lot of M&A deals and transactions were delayed due to COVID-19, and we’re now starting to see an influx of global deals back on the table. M&A due diligence and merger control investigations often involve cross-border data transfers, particularly to the U.S. In the mad rush to progress business and quickly respond to document requests from U.S. regulators, data privacy considerations are often deprioritised. With regulators in the EU making a strong push for privacy this year, it’s critical for companies engaging in M&A to pause long enough to make sure all transfers are lawful.
- Consider localising privacy-sensitive data. We’re seeing an increasing interest among companies to keep their data hosting, investigations, breach response and other data-driven work in-country. Data localisation—and geographically containing where data is stored, who is accessing it and its overall workflow/lifecycle—is one sound option for minimising data transfer risks.
- Revisit standard contractual clauses (SCCs). In November, the EU Commission released an updated draft decision on the viability of SCCs as a mechanism for lawful cross-border data transfers. The updated version is expected to be finalised and published this year. At that point, organisations will have a one-year grace period to replace existing SCCs and update contracts relating to international data flows. There is every reason to expect this decision to come forth, so organisations should begin revisiting SCCs sooner rather than later.
- Watch Brexit decisions closely. On the heels of Brexit, the EU is expected to grant the U.K. adequacy under GDPR, but there are no guarantees at this point. Nevertheless, positive developments are gaining ground, starting with the European Commission’s draft adequacy decision in February, and the related European Data Protection Board’s formal opinion earlier this month. Even if adequacy is granted, organisations should expect heightened scrutiny over transfers from the EU to the U.K. Brexit has created a fast-changing dynamic, and in the coming months, privacy, legal and compliance professionals should stay abreast of the developments.
Countless business activities and workflows require the transfer of data across borders. The ability to move data between jurisdictions is a significant factor in maintaining business continuity, but it is also becoming increasingly risky. The effects of Schrems II and the increasing momentum behind GDPR enforcement should not be taken lightly. Taking the time now to reassess existing cross-border data transfer mechanisms is a far better option then facing a regulatory violation down the line.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.