If, in the world of privacy, I had to pick one topic that never goes out of fashion, it would be managing international transfers of EU personal data. Since the introduction of the EU Data Protection Directive in 1995 and continuing with the EU General Data Protection Regulation (GDPR), companies engaging in the storage and/or processing of personal data of EU citizens and residents to countries outside of the EU, such as the US, have dealt with a range of requirements, frameworks, and evolving standards.
The European Commission has so far recognised little more than 10 countries around the world, including Argentina, the UK, and Japan, as “adequate” for data protection matters. It means that companies can store and/or process EU personal data in these countries without complying with any additional requirements. The US doesn’t belong to this list, but voluntary frameworks, such as the earlier Safe Harbour Privacy Principles and the more recent Privacy Shield program, exist to help companies manage transfers from the EU to the US with more ease. Standards such as the EU Standard Contractual Clauses (SCC) and binding corporate rules (BCR) are among the options that companies have to transfer data from the EU to “third countries.” And if you engage in transferring data of UK residents to a third country, there’s news for you, too. The UK approved new cross-border data transfer mechanisms, including a new International Data Transfer Agreement (IDTA) and the new International Data Transfer Addendum added to the EU Standard Contractual Clauses (known as the “UK Addendum”). While the new standards are effective starting in March 2022, the compliance clock starts ticking in September. Hence, companies must use the new standards for new contracts starting on September 21, 2022.
In 2015, when European courts struck down Safe Harbour, about 5,000 companies relied on it. In 2018, when Privacy Shield was declared invalid, about the same numbers of companies had to change their approach. And yes, it is hard work! Data from the IAPP-EY Annual Privacy Governance Report 2021 highlights that complying with cross-border data transfer laws is rated by the majority of privacy professionals as their most difficult task.
The EU updated data transfers rules recently. New requirements include running and documenting a risk assessment, adopting the adequate set of EU Standard Contractual Clauses, and, when necessary, implementing additional safeguards, including encryption with strong encryption key policies. And make no mistake: The rules might change again. Companies that have invested in meeting the new requirements will need to update their approach when necessary.
Data shows that most privacy teams are understaffed, with budgets that are systematically smaller than what privacy teams and their leaders need. Still, these teams embrace the mission of protecting customers’ and employees’ personal data, help their organizations earn trust, and play by the rules.
On the other side of the spectrum, one of the wealthiest businesses in the world, Facebook’s parent company Meta, threatened to leave the EU market altogether if regulators continued to impose rules that it struggles to meet! It’s a movie we have seen already: Meta (still Facebook at the time) tried the same threat in 2020. And just as it happened two years ago, Meta is claiming that it has been misunderstood. Reactions from European regulators and policy-makers didn’t take long to surface, with most showing little concern (in fact, quite the opposite) about life in the EU without Meta’s services.
Meta protesting against privacy rules is not surprising. But it’s worrying. As we prepare to enter the metaverse, a range of unprecedented ethical and privacy risks are upon us. Privacy and ethics, as well as security and data governance, must be the priority of every business. If a company struggles so greatly to comply with international data transfers rules, what does it say about their ability and willingness to protect user data in the metaverse?
For guidance about handling international data transfers, privacy management, and trust, read our research and schedule an inquiry. If you want to share your views about managing privacy in the metaverse, please get in touch.