• Privacy
  • Privacy Shield

Cross-Border Data Transfers: A Conversation


On November 11, 2021, in response to the uncertainty following Schrems II invalidation of the EU-US Privacy Shield, the European Data Protection Board (EDPB) issued long-awaited guidance on complying with GDPR requirements for the transfer of personal data from the EU to other jurisdictions, particularly the U.S. Fundamentally, the guidance was intended, among other things, to clarify what constitutes an international data transfer. is it a jurisdictional issue? A physical jurisdictional issue? A legal issue?

Does the EDPB guidance provide the needed definitional clarity of what constitutes a transfer? Does it solve for Schrems? Does the current trend toward data localization solve for cross-border transfer issues are create further ambiguity and even security risk?

As part of an ongoing series, WireWheel CEO Justin Antonipillai and co-host Daniel Solove met with Peter Swire, professor at Georgia Tech’s new school of cybersecurity and privacy and a witness in the Schrems case, the Atlantic Council’s Kenneth Propp (who worked with Justin in the Obama Administration, and Orrick partner Shannon Yavorsky who advises clients on these matters, to discuss these issues. The webinar Cross-Border Transfers: A Conversation can be accessed here.

So, what is a transfer?

It’s really interesting because there’s never been a definition for international data transfer and it’s been the subject of discussion and commentary over many, many years as to what actually constitutes an international data transfer.

—Shannon Yavorsky

As Yavorsky notes, the EDPB provided a sort of three-prong test to identify whether there is a data transfer.

  • That there is a controller or processor that is subject to the GDPR;
  • That there an exporter that makes data available to an importer. “This is important because there was always a question hanging over whether any direct collection of data from individuals located in Europe by, for example, a U.S.-based entity constituted, a data transfer; and
  • That the importer is in a third country, regardless of whether the importer is subject to the GDPR.

“It almost raises as many questions as it clarifies,” opines Shannon. “There was always a question concerning what mechanisms could be used for cross-border data transfer. As the derogations got narrowed by commentary coming out of the EDPB, it became less clear that you could rely on the derogations. But for some of my clients, it’s been tremendously helpful to have more clarity on direct collection.”

“One other piece I noticed, is corporate families versus the same corporation,” says Swire. “There was some language in the discussion that if it’s an affiliated company inside a holding company, at some point, it really is a different entity. And then you have to go into all these different entities as an importer. To me, it wasn’t clear.”

Peter poses the issue of a company with different branches, perhaps one in France and one in the U.S. “It seems as if that might not be a transfer…If it’s a different corporation, probably a transfer, but inside the same company it seemed like it wasn’t a transfer.”

“I put that into the bucket of things that was not clarified,” says Antonipillai:

You get into some metaphysical/technical questions about when is a transfer occurring. A really good example of what we see regularly when you get into real-time adtech when you collect data, for say a consent, and you store it just in Europe, and now you want to resolve that consent with the same person who might be accessing a U.S. site. Is that a cross-border data flow, because, technically, there’s an access for U.S. purposes in the same company?

—Justin Antonipillai

Propp observes that the guidance obviously “has a geographic focus to it with respect to clarifying what is a transfer, and that’s helpful, but it does end up in the somewhat paradoxical situation that the companies that are already subject to the GDPR by virtue of a local establishment nonetheless have to employ transfer with related safeguards.”

The elephant in the room

“I’ve always seen a bit of a tension between the Court of Justice of the European Union (CJEU) and other European institutions when it comes to cross-border data transfer,” says Solove. “I look at the logic of Schrems and I don’t see any of the guidance solving the fundamental issues in Schrems.”

Better contractual clauses don’t really solve the big problem. And that is, if the NSA wants the data, they can get the data.

If the Data finds its way to the United States, whether it’s the same company [or not], the concerns the CJEU had in Schrems still exist in that situation. So can it just be, ‘oh cool, we’ll just not define it as a cross-border data transfer and somehow we’ll escape from all these countries?’

—Daniel Solove

“Right now, my reading of it, is it doesn’t add up, says Solove. “This is still a mess and no one’s addressing the elephant in the room.” And that elephant has a pedigree tracing back to Snowden.

The effect of the Snowden papers “turned out to be even bigger than a lot of people realize,” notes Swire. At the time the Snowden papers came out in early 2013 in June. GDPR was dead. And it’s clear that when it [overwhelmingly] passed by that the concern about the NSA was enormous and really drove the political process toward a stricter version than it would have been without Snowden.

In my testimony in the Schrems case, I wrote 300 pages explaining the many constraints that exist under us law on the NSA. That they were the strictest sets of intelligence restrictions of any of the democracies. But under European law that’s not relevant. They’re not testing us compared to Germany or France, they’re testing us compared to the CJEU standard. So, we have concerns, based in part on Snowden, that are driving [the idea of] a surveillance problem that needs a massive solution from Europe.

—Peter Swire

Be that as it may, as Yavorsky notes pragmatically queries: “But have you seen anyone actually stop data transfers? Because I haven’t.”

The Data Localization Response

The growing response to the lack of clarity, and burdensome administrative overhead concerning justification of cross-border data transfers has been to localize data. Swire notes that a recent Ernst & Young report “found that 20% of the respondents said there’s been significant data localization since Schrems.” And that “20% to report there’ve been major changes in their business to localize in is nontrivial.”

But the definition of localize may be as hard to pin down as the definition of transfer. “I wonder what they mean by localized, really?” says Antonipillai. “What I’ve heard when is when they say “localizing,” it means storing locally and accessing and processing it in a lot of places.”

The focus has primarily been on local storage. What we’re starting to see now are criteria emerging in countries like France in the context of cyber security standards, that there be limits on foreign ownership of cloud companies that operate there and, and also somehow immunity from foreign jurisdiction.

Once you add those criteria into the conversation it becomes even more complex, I think for U.S. companies to deal with.

—Kenneth Propp

And, as Propp notes, there is a deleterious effect on cybersecurity that comes with localization as “it’s very hard to do centralized management of a company’s computer system.” Furthermore, “it’s unclear whether you can buy cyber security services from overseas, the way Cloudflare got kicked out of Portugal.”

So, what’s a company to do?

Given the still-existing ambiguities post-EDPB guidance, the Schrems elephant, Snowden’s shadow, and unlikely occurrence of globally agreed standards, Solove asks the ultimate question: “what does a company do? How does a company figure out what the right level of compliance is?”

“I don’t think there’s actually a way to fully comply the way things stand now. Is every company supposed to try and do an analysis of every country’s surveillance law?”

We’ve all recognized that there are a lot of legal fictions that go on in the world of cross-border data transfer…So it comes down to what do you do in these scenarios?

At the end of the day, you have to put together a defensible narrative…and lean a little bit on the risk-based approach to the GDPR: that you’ve done your transfer impact assessment. You’ve reviewed and made any appropriate adjustments, including potentially localizing data…made efforts to implement appropriate safeguards: You’re going to be in a reasonably good position vis-a-vis a regulator coming and taking a look under the hood.

—Shannon Yavorsky

“I think it’s worth pointing out that it’s not just – or even primarily – U.S. companies that are facing this situation,” says Propp. European companies too are dealing with an unprecedented sense of uncertainty about ultimate liability.”

Until we can reconcile government access to commercial data flows, the concerns, elephants, and ambiguities are likely to remain. The question is going to continue to be with us. As Ken optimistically offers, “we’re starting to see encouraging signs of that, but it’s going to take continued initiative.”