International Data Transfers
Since the CJEU (Court of Justice of the European Union) overturned the then Privacy Shield in its famous „Schrems II“ decision on July 16, 2020, the topic of „international data transfer“ has been a permanent guest on the agenda of data protection officers and statements by European supervisory authorities. In 2022, the topic has gained particular momentum in several respects.
In March 2022, the EU Commission and the Biden administration announced they had reached an „agreement in principle“ regarding a new replacement for the invalid Privacy Shield.
Finally, on October 7, the White House released information on the corresponding Executive Order, which would implement the announced agreement in principle on data transfers between the U.S. and the EU into U.S. law.
The Executive Order addresses the requirements of Schrems II by, among other things, adapting the far-reaching access to data in the context of national security and the complaint and redress procedure.
The legally compliant design of data transfers from Europe to the USA was one of the most frequent, complex, and time-consuming issues that data protection officers in companies had to deal with over the last two years.
There is a movement on this issue, as the Commission published its draft version of the upcoming adequacy decision as an early Christmas gift in mid-December 2022 and the work is being carried out at full speed on the new EU-US Data Privacy Framework. So, the agreement is initially welcomed from a data protection perspective.
However, until the EU Commission adopts an adequacy decision, which is expected in the first half of 2023, everything has stayed in the current legal situation.
Until then, the other possible transfer instruments of Art. 46 GDPR (in particular standard contractual clauses (SCC) and Binding Corporate Rules (BCR)) as well as the exceptional circumstances of Art. 49 GDPR (in particular consent of the data subjects) must be used - with all the known challenges and disadvantages.
Conversion to New Standard Contractual Clauses (SCC)
In June 2021, the European Commission issued new standard contractual clauses, which have been mandatory for new contracts since September 27, 2021.
These new SCCs have a modular structure and now cover all practically relevant data transfer variants without resorting to complicated and partly impractical contract constellations as in the past.
In this context, organisations must have converted all old contracts to the new standard contractual clauses by December 27, 2022. In personal discussions, heads of various German data protection authorities have independently assured us that there will be no further extension of the deadline or „turning a blind eye“ on their part.
Instead, companies that have not adopted old contracts and converted to the new SCCs by the end of December 2022 will face sanctions from the supervisory authorities, as companies had sufficient time for the conversion with one and a half years. In 2022, there were again a large number of regulatory and supervisory measures.
Regulatory and Supervisory Initiatives
Since the Personal Information Protection Law (PIPL) and Data Security Law (DSL) came into force in China at the end of 2021, there are now initial empirical values regarding practical implementation, in particular, data localisation and restrictions on certain data transfers.
Major economic powerhouses, like the U.S. or India, are discussing new nationwide comprehensive privacy regulations while the UK is debating significant amendments to the present legal regime. On the other hand, the European supervisory authorities were also very active again regarding fines in 2022.
From January to October, they imposed fines of more than 550 million euros, with the Irish data protection authority taking the top spot this year with its 405 million euro fine against Meta in September, the second-highest fine ever imposed since the introduction of the GDPR.
In addition, major data scandals, such as the massive data breach at Uber, also made headlines worldwide and shook consumers’ confidence in their data’s secure and lawful handling.
With the rise of social media and online platforms, companies can now connect with customers and users all over the world. But it also made them more vulnerable to data breaches which can damage their brand, reputation and revenue.
Data scandals can devastate a company’s reputation – regardless of size. They have been known to...
- Damage your brand,
- Cause consumers to lose trust in your company,
- Put employees at risk,
- Cost you money in terms of legal fees, lost business as well as potential fines and damages claims.
Trust as Precious Asset – Privacy as Human Right
Speaking of trust, various studies in 2022 have once again revealed what we at DataGuard have also been observing in our daily practice for a long time: Transparency is an essential element of trust, and consumers value transparency as the most important thing organisations can do to build and boost trust when it comes to dealing with their personal data.
According to a Cisco 2022 Consumer Privacy Survey, 89% of consumers said they care about data privacy, they care about protecting others, and they want more control. Moreover, 82% of them also said this is a buying factor for them.
In this respect, consent and preference management tools can play a vital role in establishing trust in a scalable way as they allow users to decide what processing of their personal data they want – more transparency and control over your data is hardly possible. Therefore, you should consider consent as a verb – not a noun.
On the surface, consent and preference management might not seem all that impactful, but it can make a big difference to a company’s financial performance.
“We implemented the platform and within 6 weeks had captured consent for over 100,000 passengers with a 68% email opt-in rate.“ Duncan Waugh, Head of Rail IT at FirstGroup
Our experience shows that a large portion of the IT or software budget is spent only on managing internal complexities, such as having a fancy and powerful CRM tool. Instead, valuable resources could be invested in innovation, such as a good consent and preference management solution, resulting in a better product or customer experience and higher productivity as there will be less churn due to higher trust in your brand.
Last but not least, the importance of data protection as a human right was highlighted in a report to the United Nations General Assembly in October, describing privacy and data protection as an “increasingly precious asset in the digital era”.
Another point of proof is that companies should invest in privacy and compliance solutions.