A recent major ruling in Europe undermines a mechanism thousands of firms use to transfer personal data to the US. This has big implications for sectors such as private banking and wealth management. This article examines the fine details of what is at stake.
This publication's head of research, Wendy Spires is also a Certified GDPR Practitioner who takes a keen interest in all things related to data privacy in wealth management. This feature unpicks implications of the recent “Schrems II” ruling affecting data transfers from Europe to the US. Data protection, as this publication has recently pointed out, is also a concern for cross-border transfers of tax data. For a variety of reasons, this subject is one that wealth managers must understand.
Last week’s shock European Court of Justice ruling invalidated the Privacy Shield mechanism which thousands of companies used to transfer personal data to the US in compliance with the EU’s General Data Protection Regulation. The implications for the wealth sector’s data ecosystem could be huge.
Under 2018’s GDPR – the much-imitated international “gold-standard” – transfers to third-countries from the European Economic Area (EEA) are only permitted under strict safeguarding mechanisms, unless the recipient country is one of (the now) 12 deemed to have adequate protection by the EU Commission. Considered less onerous, rigid and costly than other transfer mechanisms, the Privacy Shield has been a popular choice, with more than 1,000 organizations signing up last year alone, according to the Future of Privacy Forum.
The ruling, known as Schrems II, is the latest development in the EU’s long-running privacy war with the US and centers on bodies like the National Security Agency having access to data and a perceived lack of judicial redress for data subjects whose rights have been infringed.
A blow both sides of the Atlantic
It deals a blow to the 5,348 active EU-US Privacy Shield participants, and in particular the 259 European-based companies which the FPF recently identified as relying on it - and that is a conservative estimate not counting global companies based elsewhere, but with major European offices. Nor should employees be forgotten, since FPF estimates that a third of participants signed up to the Privacy Shield to transfer human resources data.
Financial services and insurance firms themselves are ineligible for Privacy Shield certification, since they are outside the jurisdiction of the US Federal Trade Commission, but all manner of processors like software, cloud service or outsourcing providers serving them are.
Sorcha Lorimer, CEO of Trace, a software vendor for data protection compliance, says: “Modern enterprises typically rely on cloud providers to process personal data - whether that's your CRM system, HR tool or online accounting services. And the personal data you store, as a controller, and your team upload in these systems can be stored across multiple geographical locations by cloud service providers.”
“It's therefore likely that personal data your company is accountable for is stored outside the EEA by your providers. That's why the Schrems II ruling is so seismic: the compliance implications for European organizations are huge.”