Blogpost

My Data Lies Over the Ocean, My Data Lies Over the Sea

Data zips across the Atlantic over submarine communications cables and pings across the sea to and from satellites at light speed.

These transatlantic data flows are critical to the economic relationship between the United States and the European Union: The White House places a $7.1 trillion value on US/EU cross-border commerce. While the US and EU share trade and investment interests (we are each other’s largest trade and investment partners), our approaches to data privacy are different.

In the EU, data privacy is viewed as a fundamental human right, reflected in the General Data Protection Regulation (GDPR). In the US, we have no federal data privacy law (yet!) – instead, we have a handful of state laws and federal laws applicable to specific industries.

Side Note: the Shared Assessments Standardized Information Gathering (SIG) Questionnaire is mapped to both domestic and international regulatory guidance including GDPR, and California, Colorado, Connecticut, Utah, and Virginia privacy bills. (Each state has its own nuance on what constitutes personal data and specifications for individual rights.)

Efforts have been made to unify the United States’ lackluster approach to data privacy with the European Union’s more stringent approach through formalized frameworks. Legal developments in the past several years have put the transatlantic data flow in jeopardy – two prior US-EU safe harbor programs (Safe Harbor Privacy Principles and Privacy Shield) were declared invalid by the European Court of Justice (ECJ).

The invalidation of Safe Harbor and Privacy Shield raised “costs and concern for a lot of small companies that don’t have giant compliance departments and fleets worth of lawyers,” explains Morgan Reed, president of the App Association, in Wired Magazine.

After a two-year gap in legal framework for transferring personal data from the EU to the US, earlier this October, President Biden signed an Executive Order (E.O.) on Enhancing Safeguards for United States Signals Intelligence Activities.

“This measure is a milestone in restoring sanctioned legal mechanisms for international privacy data transfers,” says Andrew Moyad, Shared Assessments’ CEO. This order will likely bring a new EU-US Data Privacy Framework, establishing a body within the US Department of Justice to oversee how US national security agencies access both Europeans’ and Americans’ data. This is a step toward restoring confidence that the transatlantic data flow can continue under a new agreement aligned with EU law.

“Companies that have spent the past two years wrestling with these clauses are pleased by the order; they want to get back to business as usual,” writes Morgan Meaker, covering the recent Data Privacy E.O.

But – not everyone is pleased. Max Schrems, the Austrian privacy activist whose complaint against Facebook led to the demise of Privacy Shield in 2020, criticizes the new E.O.: “We do not see a ban on bulk surveillance and no actual limitations.” The ACLU piles on: “Although the executive order is a step in the right direction, it does not meet basic legal requirements in the EU, leaving EU-U.S. data transfers in jeopardy going forward.”

Whether the latest E.O. calling for a new EU-US Data Privacy Framework is accepted or modified, Data Controllers (EU data owners and data exporters) still have a duty to perform diligence on and to manage their Data Processors (their vendors or other third parties managing protected EU personal information, including affiliates).

As the EU-US Data Framework evolves, the Shared Assessments Third-Party Risk Management Product Suite supports organizations of all sizes to ensure their data privacy compliance.

Within the Shared Assessments Standardized Information Gathering (SIG) Questionnaire, our Privacy Domain includes relevant GDPR mappings. Other Cyber, Privacy, Compliance, and Operational Domains within the SIG cover additional technical and organizational measures (TOMS) that Data Controllers are obligated to record with their Data Processors.  (Shared Assessments offers a pre-packaged Privacy SIG Template that can be used when conducting a stand-alone data protection impact assessment for your organization or your vendors. The Privacy SIG Template can also serve as a pre-scoping product for prioritizing vendor assessments.)

The Shared Assessments Data Governance Products include the Target Data Tracker, which helps organizations identify company or third-party locations as well as fourth/Nth Party or subcontractor locations to understand the data-processing environments of these parties.

The Target Data Tracker brings focus to data protection and data governance – it can be used to:

  1. Collect information needed to manage vendor/data inventories
  2. Identify and track disclosures to Third and Fourth Parties
  3. Collect information and create an artifact template to support GDPR Standard Contractual Clauses (SCCs)
  4. Conduct data protection or data transfer impact assessments
  5. Identify and confirm cross-border or international data transfers
  6. Assist Business Resilience Teams with understanding vendor and fourth party locations
  7. “Pre-scope” to gather information to determine a vendor’s risk tier or classification
  8. Create a “Record of Processing” for GDPR
  9. Maintain and document disclosures for CCPA/CPRA
  10. Maintain evidence of due diligence and M&A reviews

The Shared Assessments TPRM Product Suite provides a risk management diligence framework for your supply chain, helping your organization address specific data protection obligations in third-party risk.

By land, by sea, by air, your organization is obligated to understand where its data goes and to adhere to frameworks for transatlantic data flows.