US president Joe Biden and EU president Ursula von der Leyen had previously reached an agreement on how data transfers should take place between the US and EU member states to remain compliant with pre-existing protections, such as GDPR.
“Moving data from one jurisdiction to another always leads to potential conflicts between levels of data protection,” said David Reed, Chief knowledge officer and evangelist at DataIQ. “Since the introduction of GDPR in the EU (now the Data Protection Act in the UK), it has become a benchmark that many countries are levelling up towards, including the US, although it still lacks federal-level legislation on data. The big issue for the EU’s LIBE is the access to personal information granted to national security agencies under laws like the Homeland Act. Few worries for controllers of limited personal information in the commercial realm, but as soon as more sensitive data gets attached, there are rightly concerns. It is worth noting that UK fingerprint data is already processed in the US, so in many respects, this is a stable door that is wide open.”
LIBE explains in its draft motion for a resolution that the DPF:
“…Fails to create actual equivalence in the level of protection; [and that it] calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the [European Court of Justice]”.
Another concern is that federal law in the US does not cover data protection, and existing executive orders can be amended or removed at any time by the current or future US presidents. This, rightly, provides a level of uncertainty that needs to be addressed particularly for maintaining data protection.
Finally, the order does not cover data accessed by public authorities using other means and commercial data purchases or exempt. Voluntary data sharing agreements are also not covered.
In the future, if the DPF agreement is finalised, EU-based companies could share personal data with US-based companies without considering additional safeguarding measures. Based on the current conversation between the EU and US, this does not seem likely to be resolved soon, meaning businesses will have to continue operating as they have done and waiting for a new data sharing opportunity to arise.
—
Remember to enter the DataIQ Awards and celebrate the achievements of individuals and teams revolutionising the way data is utilised in business.