EU Restrictions Could Force Companies to Change Data Transfer Practices

The guidelines likely will boost the use of emerging methods of data encryption, privacy experts say.

The guidelines are an attempt to respond to significant uncertainty since a July ruling from the EU’s top court, which said the EU-U.S. Privacy Shield was illegal. That agreement was sealed in 2016 and enabled trans-Atlantic commercial data transfers, but the court said U.S. government surveillance was a threat to privacy, and that Europeans didn’t have sufficient options for redress in the American legal system.

The EU court also determined companies could continue to use a separate, widely used international data-transfer method arrangement known as standard contractual clauses, but only with additional safeguards to guarantee data will be safe from surveillance.

The regulators’ draft guidelines mean that “transfers of data to third-party countries is severely curbed,” said Lukasz Olejnik, a Brussels-based independent cybersecurity researcher and consultant.

Separately, the European Commission, the EU’s executive body, last week published a draft revision of its standard contractual clauses, which are preapproved contracts specifying how companies can transfer data to countries outside the bloc. The new clauses tighten requirements for companies moving data to business partners or subsidiaries abroad.

The regulators’ draft guidelines would apply to countries outside the 27-member union that don’t have a so-called adequacy decision with the bloc. EU authorities have so far given 12 countries, including Canada and New Zealand, an adequacy finding, deeming their privacy laws strong enough for companies to move Europeans’ personal data there without special precautions.

The regulators listed several options companies could use to continue moving data abroad without violating the EU’s 2018 General Data Privacy Regulation. The guidelines don’t require firms to use specific measures, but stipulate companies violate EU law when they transfer data without safeguards as strong as their recommendations. The draft will be open for public comments until Nov. 30.

The European Commission’s draft standard contractual clauses also include updates to respond to the July court decision. Under the draft, which will be open for comments until Dec. 10, firms outside the EU would have to inform business partners if any government office or intelligence authority submits a legally binding request to access to Europeans’ data. The Commission preapproves these privacy clauses.

Companies will need to assess whether the laws of other countries threaten privacy, which means they will need sufficient and accurate information about foreign legislation, said Henri Kujala, global privacy officer at HERE Global BV, a digital-mapping service company majority-owned by Volkswagen AG’s Audi, BMW AG and Daimler AG . Making that assessment could become more complex if laws change in countries where a company’s suppliers are located, he added.

Regulatory support for techniques such as homomorphic encryption and multiparty computing will likely boost the use of those methods, Mr. Kujala said. Homomorphic encryption technology enables calculations to be performed on encrypted data without decrypting it. Protection through multiparty computing splits data between computers so it can’t be used to identify an individual without additional information.

“This could significantly affect the way companies approach encryption,” said Caitlin Fennessy, research director for the International Association of Privacy Professionals, a trade group.

For many companies, complying with the new guidelines for data-transfers would mean pushing cybersecurity and privacy teams to work together more closely, Ms. Fennessy said. Together, they will have to iron out technical measures such as encryption policies, she said. “Privacy professionals are going to have to work hand-in-hand with security professionals more so than they ever have in the past,” she said.

Write to Catherine Stupp at [email protected]