The discussion at the Council of the EU in the context of the European data protection legislative reform that took place on 6 June is by no means the end of a process which is likely to carry on for at least a year, but it provided a helpful pointer as to where the policy making thinking is. One of the biggest challenges that organisations operating in the EU have faced since the 1990s is the prohibition on transfers of data to jurisdictions outside the EU without equivalent standards of data protection. The ongoing legislative reform is an opportunity to review the existing regime and bring it into line with today’s data globalisation.
Following the recent Council meeting and bearing in mind the political climate, it is now possible to see how this issue is likely to evolve. More importantly, any global organisation that operates in Europe should take into account this situation in order to plan how to manage its international data flows now and in the future. In the light of where the political and legislative process is at the moment, the following factors should be considered:
- It is clear that the relevant EU institutions – the European Commission, the European Parliament and the Council of the EU – are aligned on retaining a restrictive regime for international data transfers. Even if a degree of flexibility is injected into the mechanisms used to legitimise data transfers, the principle of unsafe data flows being banned by default is set to continue under the new framework.
- The immediate practical effect is that any current efforts being made by organisations to devise and implement global data protection measures will not be wasted. The bottom line is that where an organisation allows personal data to be accessible from outside the EU or being stored in the cloud, the law will require – as it does today – to put in place adequate measures of protection in line with European standards.
- Safe Harbor is and will continue to be a sensitive issue. European politicians and regulators are unconvinced about the level of data protection afforded by Safe Harbor, but in all likelihood, it will remain an accepted route to legitimise data transfers between the EU and the U.S. Certain reinforcement of the Safe Harbor requirements should be expected – not least because the entire EU data protection regime is being tightened – but US entities that take the Safe Harbor Privacy Principles seriously will still be able to wear the badge of safe recipients of European data.
- There is room for optimism is terms of the procedural steps to show that adequate measures to protect data have been adopted. This is more likely to be felt in terms of the content of any contractual arrangements aimed at safeguarding data exports and the necessary paperwork to evidence this. In recent years, there has been a welcomed trend amongst regulators to be receptive to different types of contractual solutions – such as Intra-Group Agreements and vendor-led agreements – and this is likely to be reflected in future legislation.
- Perhaps the most obvious development is that Binding Corporate Rules has become policy makers’ and regulators’ favourite approach to legitimise international data transfers. The fact that EU data protection authorities are already approving ‘BCR for Processors’ (aka ‘Binding Safe Processor Rules’) shows that BCR is a solid bet for everyone, as it provides real and practical protection with minimum ongoing oversight.
Ultimately, something that is certain is that complying with the regulatory regime affecting global access to personal data will remain a challenge tomorrow, as it has been a challenge for nearly 20 years. As with all business-critical challenges, overcoming this one requires an effective vision, thoughtful planning and a team effort.
This post originally appeared on Linkedin.