EU Adopts New Privacy-Focused Data-Sharing ToolsTech Giants Welcome the New Data Transfer Move
The European Commission has released two new tools aimed at easing the current legal hurdles associated with data sharing by European Union-based organizations and other businesses operating in the region. Tech giants embroiled in controversy over the EU's stringent data-sharing polices welcomed the move.
The EU's standard contractual clauses are a set of laws that have been designed to facilitate lawful and secure transfer of personal data between the European Economic Area and non-EU countries.
The two new clauses, which clarify new arrangements for data sharing, are:
- Standard contractual clauses for controllers and processors in the EU/EEA for use between controllers and processors inside the EU.
- Standard contractual clauses for international transfers for transfer of personal data to countries outside the EU.
Prior to the amendments, many organizations had differing standard contractual clauses, which might not have been in compliance with GDPR, but with this clarification of the obligations between parties, the amended rules explicitly allow organizations to add their own standard contractual clauses so long as these do not contradict GDPR or citizens data rights, and tools are provided to ensure they are compliant.
The tools include advice on "single-entry point" for different data transfer requirements and more streamlined data processing chains to help business organizations ensure compliance with requirements, thus allowing for secure movement of data across borders without legal hurdles, the commission notes.
Further, the commission has given an 18-month deadline to companies that are currently following the previous set of standards to transition to the new requirements.
"In Europe, we want to remain open and allow data to flow, provided that the protection flows with it," says Vera Jourová, the vice president of the European Commission for Values and Transparency. "The modernized standard contractual clauses will help to achieve this objective: They offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two."
The EU says the two clauses are applicable to citizens, public agencies and private companies that are transferring EU citizens' personal data to a third country. They are also applicable to entities in a third country that are receiving the data.
Some of the requirements for data exporters and importers under the proposed laws include:
- Listing the origin and destination of the data and ensuring that it is done with the consent of the parties involved. It should also list the identity, contact details and purpose of the data.
- Imposing storage limitation and not allowing the stakeholders to withhold the data beyond the time allotted for processing the data.
- Ensuring security of data from data breach, unauthorized disclosure and loss. Also estimating the risks involved in the processing of the data and ensuring encryption or pseudonymization of the data even while the data is being transferred.
- In case of a data breach, taking measures to address the breach and to mitigate the threat.
- Documenting all facts relating to the personal data breach, including its effects and any remedial action taken.
For noncompliance, the EU notes stakeholders will be prosecuted under Article 45 of the General Data Protection Rule pertaining to transfer of personal data to a third country or an international organization, or violation under transfer of personal data outside the EU - violations of any of which can result in a fine of 20 million pounds or up to 4% of the annual worldwide profit, the commission notes.
Tech Giants React
The tech sector has welcomed the latest revisions to the privacy rules.
On Friday, Microsoft tweeted that it will incorporate the new standards into its operations. "Microsoft will incorporate the European Commission's new standard contractual clauses into our contracts to ensure our continued strong protection for our customers' data," the company tweeted on Monday. "We offer SCCs and additional supplementary measures to meet or exceed the requirements of the EU data protection laws."
The @EU_Commission has released a new set of Standard Contractual Clauses (SCCs) for cross-border data transfers.— Microsoft European Affairs (@MicrosoftEU) June 4, 2021
Here's our response ⬇️#DataProtection https://t.co/7kokKOcY5w pic.twitter.com/bUHgYj2A2l
"While we are still analyzing the details published today, we welcome the Commission’s alignment of SCCs with the General Data Protection Regulation’s risk-based approach, including to reflect documented practical experiences of companies using SCCs for compliance purposes," said John Miller, the Information Technology Industry Council’s senior vice president of policy, trust, data and technology. "We also appreciate the clarification of obligations between parties and the extension of the transition period for companies that are currently using previous sets of SCCs."
"All in all, it is fair to conclude that the new SCCs have embraced an accountability approach for both the data exporters and the data importers. Both should properly document their compliance assessments, and be ready to make that documentation available to the DPA upon request," says Paul Breitbarth, director of EU policy and strategy at security firm TrustArc.