listen to this article:

Customer Privacy and Transferring Data from EU

The United States and the European Union are at an impasse over the transfer of private EU data to the United States for processing. This conflict may often be resolved with advanced technology. 

Political Differences Caused the Rift 

The clash between the EU and the US has been brewing for years. It stems from a basic principle of European data protection law: personal information about EU citizens cannot be transferred to a jurisdiction that lacks legal privacy protections equal to those in the EU. 

For many years, agreements between EU and US authorities provided a practical path for bringing data to the US. Known as Privacy Safe Harbor, and Privacy Shield, the agreements hinged on U.S. companies committing to protect the privacy of European data. 

After many years of success, Privacy Safe Harbor in 2016, and then Privacy Shield in 2020, were invalidated by a high court, the Court of Justice of the European Union. In the so-called “Schrems” cases, the court ruled Safe Harbor and Shield did not provide adequate protection because US government agencies like FBI have too much legal access to data. The rulings reflect Europe’s veneration of privacy as a central human right and its political displeasure with America’s appetite for gathering intelligence data around the world.  

Privacy Safe Harbor and Privacy Shield were both negotiated before the well-known EU law, General Data Protection Regulation (GDPR), went into effect in 2018. But the basic European law on data transfer has remained constant, both before GDPR and now under GDPR. 

Learn more about privacy-preserving acts in the EU and US in our GDPR and CLOUD Act Guide 

Data transfer Confusion Impedes Commerce 

The court’s rulings have caused confusion. The court did not say private data may come to the United States under no circumstances. But the court cast skepticism on transfers to the United States, citing the legal authority of US government to seize data. 

This confusion has already had practical impact in Portugal. The Portuguese data protection authority ordered the government agency conducting the census to stop using a California company, Cloudflare, to manage the online collection of census data.  For the census agency, this order is a big headache. The agency needed to do business with Cloudflare because the company offered the right services at the right price. The agency had negotiated a stringent contract with Cloudflare to protect data privacy. But the data protection authority said the contract was not enough because it cannot prevent the US government from accessing data under US law.  

The confusion around data transfers has further caused the data protection authority in Ireland to undertake a formal investigation into whether Facebook must stop sending European data to the US.  

Privacy Confusion Stymies Financial Institutions 

This data transfer controversy affects many industry sectors, including financial services.  

To give one example, suppose a financial institution legally collects personal data in the European Union. The institution is required to comply with anti-money laundering laws and other rules that forbid doing business with disfavored entities, such as terrorist groups, against which trade sanctions have been imposed. Compliance with these laws and rules is very challenging, but the challenges can be met through sophisticated analysis of data. Suppose further that the institution wants to analyze or otherwise evaluate data using a uniquely qualified service provider in the United States. EU authorities, however, may conclude that the financial institution cannot draw upon the services of the US service provider, citing the current interpretation of EU privacy law. 

As a second example, suppose a bank in Europe wishes to interact and exchange data with customers wearing smartwatches. And suppose the best technology for managing the interaction runs from a service provider in Massachusetts. Again, the bank might not be able to use the American service provider because European authorities interpret their law to forbid the exposure of customer data to a company in the US. 

The Problem with Data Transfer is Possible Access by the US Government 

In the two examples just given, the Court of Justice does not object in principle to the American companies having controlled access to data. The Court objects to the possibility that US government authorities may access the data in accordance with US law, using for example a subpoena. Thus, if there were a way for the American companies to render service, while also preventing access by the US government, then the Court would be satisfied. 

Here is another way to say it: If personal European data can be evaluated or processed without the content of that information being understood, then US authorities cannot understand the data while it is subject to US jurisdiction. 

Cryptography Points to Potential Solutions 

Is it possible to allow data to be exposed to a service provider in the US without anyone in the US (such as the FBI) being able to understand the content of the data? Advanced computational solutions suggest the answer is yes. 

One can imagine solutions that require coordinated action by both the US service provider and its enterprise customer in Europe. Unless the two parties act together, no one in the US can understand the content of the data. For instance, if two cryptographic keys are needed to decrypt data, then those keys can be geographically divided, one in the US and the other in the EU. Alternatively, part of a data element, such as a name, might be controlled in the US while the other part is controlled in Europe. Comprehension of the data element would require cooperation by someone in the US and another person in the EU. In either instance, meaningful access to the data in the US would be foreclosed unless someone in Europe is participating. 

European thought leaders have mentioned solutions like these as enablers for the transfer of EU personal data; they have referred to homomorphic encryption and multi-party computation. Further, these types of solutions are consistent with authoritative guidance from the European Data Protection Board. 

Demand for Technical Innovations Grows 

Trade between the United States and the European Union represents a large portion of global commerce. But this trade is threatened by the current interpretation of GDPR. Trading parties need creative technical solutions. Successful solutions applicable to EU-US data flows could also be used to facilitate the flow of data in other parts of the world. 

Note: This article does not provide legal advice for any particular situation. If you need legal advice, you should consult a qualified lawyer.