It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single one of them with intra-group agreements, model clauses and the like. It’s been like this since October and the pace is anything but slowing down. Sorting out international data transfers has always been a difficult compliance challenge for multinationals but the current levels of anxiety are simply unprecedented.
From what I have seen across organisations of all sizes and cultures, the general panic has been in crescendo since the Court of Justice of the European Union (CJEU) issued its ruling invalidating the Safe Harbor adequacy decision. No matter how many times – in public and in private – we have tried to convey the message that there was no reason to panic, fear and uncertainty have taken over the world of international transfers of personal data. It really shouldn’t have been this way but why have we suddenly seen this level of frantic activity to try and legitimise cross-border dataflows when the legal restrictions have been around for the best part of 20 years? Sure, the Safe Harbor decision was pretty dramatic, but only a limited proportion of transfers were covered by it anyway. Why do we appear to be facing some sort of data transfers Armageddon?
First of all (and you’ve heard this from me before…) placing geographical limitations on the flow of personal data is not just another data protection measure. It is an intrinsically disruptive way of regulating data protection. We don’t live in a world where data is collected, used, shared, and then occasionally, transferred across national borders. The digital economy of which we are all part understands no borders. That is in fact the whole point of Internet technology and mobile communications. Cloud computing, social media and anything to do with digital human interactions are by definition global and it is that aspect what has most decisively contributed to the growth of the information economy. So restricting the way in which data globalisation operates is certainly not a small matter.
The anxiety we are experiencing is partly due to the reaction of the EU data protection authorities to the CJEU’s decision. Within 10 days of the ruling, the authorities made it clear through the Article 29 Working Party that they saw it as absolutely essential to have a robust, collective and common position on the implementation of the judgment. Their united voice demanded compliance in connection with any ongoing data transfers and set themselves a deadline of the end of January 2016 to carry out an assessment of the validity of the existing data transfers tools. In a slightly chilling way, they also reminded everyone that the authorities were committed to take all necessary and appropriate actions to ensure compliance, including coordinated enforcement actions.
An enforcement threat like this is unnerving under normal circumstances but when made alongside a tight deadline and while the validity of well-established tools like the European Commission’s standard contractual clauses and Binding Corporate Rules are being questioned, a general panic is to be expected. In the absence of any further regulatory guidance, the most obvious response has been to try and get as many sets of model clauses signed as humanly possible. But of course, the logistics of figuring out what transfers may have been taking place, assessing which ones are already adequately protected and which ones may not be, and then drawing up all of the necessary contracts with the right parties and dataflows descriptions are not insignificant. Add to that the myriad of different formalities that exist across EU Member States when a contractual solution is deployed, and achieving perfect compliance is simply ‘mission impossible’.
Ultimately, the challenge of international data transfers goes well beyond formal compliance. This is a very politically charged issue and as such, outside any company’s control. That basically means that while the legal restrictions exist and since what amounts to an adequate level of protection is subject to debate, uncertainty will always surround this issue. All we can hope for is a bit of common sense and, ideally, a sign from regulators that deploying sensible efforts to protect data globally will be taken into account when assessing compliance. Otherwise, the very real risk is that all efforts are devoted to completing paperwork rather than to the real business of protecting people’s data.
This article was first published in Data Protection Law & Policy in January 2016.