skip to content
[email protected] +32 2 513 63 23

Safeguarding data flows

Monday, 21 December 2020
data_protection press-releases

Safeguarding data flows

 

A joint statement from leading European associations on EDPB “supplementary measures” Recommendations

21 December 2020 - The undersigned European associations take the right to the protection of personal data seriously, whether it remains within the EU or is transferred internationally. The digital economy does not recognise borders and international data flows act as an enabler of the global economy. From the collection of personal data to its processing by a business to offer a service, the privacy protection and fundamental rights afforded to the individual are upheld by strict compliance with the General Data Protection Regulation (GDPR).

This means that when the personal data of European citizens flows outside the EU, the protection of the GDPR flows with it. A crucial tool that enables this international protection to be put into practice are Standard Contractual Clauses (SCCs).

Europe depends on data flows: whether for consumers buying products or services through their bank accounts, medical research or suppliers collaborating to overcome a health crisis, paymasters remunerating employees, agricultural traders supporting the food supply chain, travellers booking a flight or a hotel, matching job seekers to a job, manufacturers adding worth to industrial value chains, an SME launching a marketing campaign for a new brand, insurers outsourcing customer claims management or the analysis of statistics to support public services. Even simple tasks such as sending an email rely on data flows.

Whether directly or indirectly, many European businesses conduct transfers to grow in Europe and on the international stage.

More recently, the use of SCCs has unfortunately been thrown into disrepute. The European Data Protection Board (EDPB) has thankfully been tasked with clarifying this challenging situation and recently released (draft) Recommendations as a result. Unfortunately, the current draft will make Europe’s ability to operate within the global economy unreasonably impractical.

This is because the EDPB’s (draft) Recommendations:

  • Are overly prescriptive and therefore reject the risk-based approach of the GDPR and recent CJEU jurisprudence, disproportionately treating all personal data flows, no matter the context, as of potential interest to law enforcement authorities;
  • Mandate specific technical measures in all situations, deviating from the GDPR by prior- itising their use over organisational or contractual measures, raising barriers between entities willing to collaborate and build solutions for Europe;
  • Focus on unworkable end-to-end encryption and force decryption keys to remain in Eu- rope, meaning the intended recipient will not be able to make sense of exported data, poten- tially exposing data subjects to risks usually protected through tools relying on decryption;
  • Create legal uncertainty as they do not achieve a balance between the free flow of data and privacy protection currently promoted by the GDPR or align with the Commission’s (draft) SCCs, raising the risk of European fragmentation;
  • Hamper the free flow of data, causing a negative impact on digital trade and the benefits it offers Europe’s society.

This will not only harm European opportunities to enter international markets but also investment into Europe’s market itself and the capacity to offer the services and products Europeans demand.

In the short-term, the EDPB’s approach will cause a loss of European collaboration with the rest of the world when needed to weather the storm of the ongoing COVID-19 pandemic and beyond.

In the long-term, it will negatively impact Europe’s geopolitical influence, turning us inwards and risking retaliation from other regions.

While a challenging task, the EDPB’s current approach threatens Europe’s bid to become “fit for the digital age” to the detriment of strengthening Europe’s data economy, maintaining trust in digital services, ensuring high cybersecurity capacities and leading in Artificial Intelligence (AI).

The undersigned associations therefore call for the EDPB to rethink its approach in order to better align with the GDPR, recent CJEU jurisprudence and the Commission’s (draft) SCCs in order to safeguard Europe’s data flows in a more pragmatic manner.

We encourage:

  • Following a risk-based approach that takes the full context of data transfers into account;
  • The possibility to continue relying on contractual and organisational measures;
  • Developing workable technical solutions (rather than overreliance on encryption).

    Finally, since the Schrems II ruling, we continue to promote a reasonable grace period before this new framework comes into effect. Suddenly placing the responsibility on data exporters to evaluate whether a 3rd country’s legal regime is essentially equivalent with the GDPR represents a steep learning curve.