GDPR and the Processing of User Data: The Effects on European Companies


February 17, 2022

GDPR and the Processing of User Data: The Effects on European Companies
For a few years now, we have been hearing about GDPR (General Data Protection Regulation), the European Union's 2016 Regulation 679, which regulates the processing and circulation of personal data. It is one of the regulations most respectful of privacy.
But outside of Europe, companies can process this sensitive data with less stringent rules.
This choice was made in order to protect individual users, but it’s having repercussions for companies that operate online, especially those that need to export data outside of Europe, especially to the United States. 
It is there, in fact, that the registered offices and servers of the most important search engines, analytics tools, and social networks are located: all fundamental tools for promoting business.  
In order to keep their businesses intact, to avoid breaking the law and incurring fines, companies have had to look for new ways to get their data out of the European Economic Area (EEA, i.e., EU countries plus Iceland, Norway and Liechtenstein). 

Let's take a look at the effects of GDPR on companies, and how they can maintain strategic relationships with non-EU countries in 3 steps, with the help of Veronica Comito, legal advisor at Go Global Ecommerce.

How did we arrive at the GDPR and at these guarantees?

How did we arrive at the formulation of such guaranteed standards? A question that has surely been asked by many entrepreneurs with online activities and information professionals.
It was all triggered by the appeal of an EU activist, Maximilian Schrems, which led to the Court of Justice issuing the so-called Schrems Judgment in 2015, declaring that data transfers to the US are unlawful because the same guarantees are not maintained there as in the EU space.
This led to the Privacy Shield, an agreement on a certification mechanism recognised by all member countries. If the US provider (or any other country) to which the data is transferred has the self-certification required by the Privacy Shield, the transfer will be considered compliant.
At first, it seemed that the Standard Contractual Clauses (SCC) drawn up in 2010 could also be used, but Schrems pointed out that according to Article 702 FISA and Ex Order 12333 of the US Code, the US authorities may acquire data in custody, or even processed by any 'electronic communication service provider' for national security purposes, and without the data subject being able to object or appeal.
This led to the July 2020 Schrems II Judgment, which ruled that the Privacy Shield was unlawful.

"The SCCs are 'saved', but the Court points out that, in light of the findings made by Schrems, the standard contractual clauses may not be sufficient on their own to guarantee an EU-equivalent, and therefore legal standard of data protection. Following this line of interpretation, in January 2022, the Austrian privacy guarantor declared the use of Google Analytics tools unlawful" , explains lawyer Comito.

The impact on companies and data traffic

According to the Court of Justice of the European Union, the standard of privacy protection required in Europe is not met by any of the non-EEA countries, which may render data transfers non-compliant.
In particular, in the US all 'electronic communication service providers' (providers of remote computing or electronic communication services; telecommunication carriers; all officers, employees or agents of such entities) are subject to the control of security agencies (such as the CIA). This means that data transfer 'pure and simple', i.e., on the basis of the old certifications adopted following the privacy shield, to this country is no longer compliant with the guarantees of the GDPR, because the standard of protection is not equivalent to the EU standard.
This means that whenever a US company asks its European partners to send data, appropriate checks must be carried out.

"In declaring the Privacy Shield illegitimate and the SCCs insufficient, the CJEU did not provide for any grace or transition period. There is therefore a risk that non-EEA data transfers will become unlawful overnight", continues Ms Comito.

How to transfer data to non-EEA countries without breaking the law

This does not mean, of course, that in order to remain legal you have to break off all relations with countries outside the EU (which would obviously be impossible and counterproductive for the EU itself). 

"Transfers of data outside the EEA remain possible without special limitations in certain exceptional cases provided for in Article 49 of the GDPR, based on the informed consent of the user, and the necessity for the performance of the contract.” - Lawyer Veronica Comito explains - “Unfortunately, the EDPB (European Data Protection Board) has already specified that this is not feasible if the transfer takes place on a large scale, or in a regular or systematic manner. This means that, unless your business is almost entirely national or continental, it is very difficult for you to fall within this exemption”.

These assumptions exclude all companies that do cross-border ecommerce. In this instance, a case-by-case check of information flows and agreements with partners should be carried out.
This scheme can be followed:

1. Recognition of transfers and related tools

Create a list of partners and service providers located outside the EEA, including data controllers under Article 28 GDPR. Ensure that the agreement leaves the controller free to transfer the data and check how.

2. Checking the contract and any transfer agreements

This is perhaps the trickiest step. Scrutinise your contract with your partners to look for any data transfer agreements or clauses. Ask about the law in force in the country where the data is to be transferred. If the level of data protection guaranteed is equivalent to the EU level, the transfer can go ahead. If not, a third step is the identification and implementation of additional measures.

3. Additional measures

These serve to make the transfer of data to your non-EEA partner compliant if local law or contractual clauses alone are not sufficient. However, this is a very recent and continuously evolving topic, so you will need to keep yourself constantly updated in the coming months. These additional measures may be of various kinds:

a. Measures of a technical nature:

Article 46 GDPR establishes certain safeguards for transfer to third countries or international organisations, provided that the data subject's right to judicial redress is guaranteed. If it is lacking, as in the case of the US, others must be provided. The EDPB gave some examples: encryption and pseudonymisation are fine, but not transfer to cloud service providers that require the data in clear text and remote access for commercial purposes.

b. Contractual measures:

Include transparency obligations in contracts; provide information and statistics based on the partner's experience, or on reports from various sources on access to data by public authorities; indicate what measures are taken to protect transferred data; specify how the partner is legally prohibited from providing the information or, in the case of an authority order to provide the data, stipulate that the business partner must engage with its lawyers to verify it’s legitimacy.

c. Organisational measures:

Identify shared data governance policies, shared procedures for dealing with requests from the authority and data subjects, create an EU-EEA liaison team for periodic reassessments of transfers, and other measures outlined on a case-by-case basis.

"This is a regulatory framework where uncertainty still reigns, as it is still in flux and constantly being updated. What I can recommend to companies, and in particular, to those making cross-border online sales, is to follow the 3-point scheme we have outlined and to keep themselves constantly updated on the latest developments in the field, seeking the assistance of a lawyer if they are not sure how to act", concludes Ms. Comito.

To avoid incurring penalties or making choices that could prove counterproductive for the company, the advice, at least in this first phase, is to be supported by specialised partners experienced in cross-border ecommerce transactions, such as, Go Global Ecommerce, who can address the issue from all angles.
This will ease the transition to the new regulatory framework, facilitating adaptation and suggesting steps to be taken.

Share it!: