A recent major ruling in Europe undermines a mechanism thousands of firms use to transfer personal data to the US. This has big implications for sectors such as private banking and wealth management. This article examines the fine details of what is at stake.

WealthBriefing’s head of research, Wendy Spires is also a Certified GDPR Practitioner who takes a keen interest in all things related to data privacy in wealth management. This feature unpicks implications of the recent “Schrems II” ruling affecting data transfers from Europe to the US. Data protection, as this publication has recently pointed out, is also a concern for cross-border transfers of tax data. For a variety of reasons, this subject is one that wealth managers must understand.

Last week’s shock European Court of Justice ruling invalidated the Privacy Shield mechanism which thousands of companies used to transfer personal data to the US in compliance with the EU’s General Data Protection Regulation. The implications for the wealth sector’s data ecosystem could be huge.

Under 2018’s GDPR – the much-imitated international “gold-standard” – transfers to third-countries from the European Economic Area (EEA) are only permitted under strict safeguarding mechanisms, unless the recipient country is one of (the now) 12 deemed to adequate protection by the EU Commission. Considered less onerous, rigid and costly than other transfer mechanisms, the Privacy Shield has been a popular choice, with more than 1,000 organisations signing up last year alone, according to the Future of Privacy Forum. 

The ruling, known as Schrems II, is the latest development in the EU’s long-running privacy war with the US and centres on bodies like the National Security Agency having access to data and a perceived lack of judicial redress for data subjects whose rights have been infringed. 

A blow both sides of the Atlantic
It deals a blow to the 5,348 active EU-US Privacy Shield participants, and in particular the 259 European-based companies the FPF recently identified as relying on it - and that is a conservative estimate not counting global companies based elsewhere, but with major European offices. Nor should employees be forgotten, since FPF estimates that a third of participants signed up to the Privacy Shield to transfer human resources data.

Financial services and insurance firms themselves are ineligible for Privacy Shield certification, since they are outside the jurisdiction of the US Federal Trade Commission, but all manner of processors like software, cloud service or outsourcing providers serving them are. 

Sorcha Lorimer, CEO of Trace, a software vendor for data protection compliance, says: “Modern enterprises typically rely on cloud providers to process personal data - whether that's your CRM system, HR tool or online accounting services. And the personal data you store, as a controller, and your team upload in these systems can be stored across multiple geographical locations by cloud service providers.”

“It's therefore likely that personal data your company is accountable for is stored outside the EEA by your providers. That's why the Schrems II ruling is so seismic: the compliance implications for European organisations are huge.”

Urgently seeking alternatives 
Experts are urging organisations to seek alternative transfer mechanisms as a matter of urgency, since although firms were given a three-month grace period when Privacy Shield’s predecessor, Safe Harbor, was struck down in 2015, the authorities are beginning to take a more aggressive approach, such as the Berlin authority which has looked to suspend transfers relying on Privacy Shield.

Standard Contractual Clauses (SCCs) seem to be the order of the day (those either adopted by the EU Commission, approved by it after development by national Data Protection Authorities or negotiated on a bespoke basis between organisations and DPAs). In fact, Ross McKenzie, partner at law firm Addleshaw Goddard believes most firms working under the Privacy Shield would also have SCCs in place as a back-up “because we knew this might happen”.

As McKenzie observes, there was actually much cause for rejoicing in the fact that the ruling upheld the validity of SCCs. 

“That piece was most worrying because we could have seen the European Court of Justice potentially unpicking the thread that holds our global tapestry of data protection transfers together,” he says. “We would have had the worst of both worlds, where you don’t have a transfer mechanism and you don't have a solution. It’s been a positive result in the sense that it gives some commercial common sense to the situation.”

Devil in the detail
However, there is devil in the detail of how the ruling dictates that SCCs should be approached which experts have been quick to point out. “It clearly says, 'We're not happy with the US systems, so the data protection officer is now being expected to effectively audit data transfers to global businesses,” says McKenzie. “And they're now expected to suspend transfers if they suspect the legal system of another country can't support the contract and the rights of individuals.” He added that SCCs always had this requirement, but SCCs are often not scrutinised.

Another, ambitious, option is for multinationals to develop Binding Corporate Rules unilaterally imposing GDPR standards for intra-group transfers. With an extensive list of requirements and lengthy negotiations with multiple DPAs necessitating hefty legal fees, these are not for the faint-hearted. However, as McKenzie observes: “BCRs haven't been scrutinised by the European Court of Justice because they are viewed as a much higher standard, so that is a positive message.” 

Firms that decided to make the investment have experienced a “halo effect”, he confirms, but BCRs are as vulnerable to scrutiny as other transfer mechanisms since they often depend on SCCs for transfers outside a company group. It seems that this is far from the end of the EU’s crusade against jurisdictions which it sees as offering inadequate data protection safeguards; experts are now calling for political solutions to what seem to be intractable issues often based on constitutional issues. Wrangling over Brexit and data protection promises to be particularly noxious, many warn.

Further guidance incoming
In the short term, data controllers and processors anxiously await guidance from their respective DPAs (it should be noted that the US Department of Commerce is still holding firms to their Privacy Shield commitments on pain of data deletion). There are a number of practical steps responsible data controllers should be taking right now however, says Lorimer: “Firstly, review your Records of Processing Activity and supply chain to understand your personal data processing. Where are transfers taking place? Where do your third parties store your data?

“Next, assess the impact of those flows on compliance and contracts. Do you need to use SCCs in place of Privacy Shield? Where are there gaps and risks? Is your data in an adequate location and being protected by the appropriate technical and organisational measures?”

As she highlights, the spirit of the GDPR is imbued with the accountability principle. So, despite wealth managers increasingly operating via a complex web of data transfers both internal to groups and to third parties, they must get clarity and maintain it. 

“It might seem like a large piece of work, but when it comes to your data flows it's vital to understand the full picture to remain accountable and to know what guardrails your contracts provide,” Lorimer concludes. “In light of this ruling it should be right at the top of firms’ to-do lists.”