Regulators and courts are asking for proof of how companies protect data that leaves the EU
By Catherine StuppMay 4, 2021 5:30 am ET | WSJ PRO
European privacy regulators and courts are looking into how companies transfer personal information to the U.S. and have ordered suspensions of some data flows.
Portugal’s data protection authority last week required the country’s statistical institute to stop sending personal information to the U.S. from Portuguese residents filling out the national census, after determining that there weren’t sufficient privacy safeguards in the institute’s contract with California-based cloud security and infrastructure provider Cloudflare Inc.
The decision is the latest move by European officials to clamp down on how companies transfer data from the European Union to the U.S. following a ruling last July from the bloc’s top court. The ruling demanded additional privacy protections if businesses move data outside the 27-country union. Regulators around Europe are looking into similar data-transfer issues, and privacy advocates have filed lawsuits to try to force companies to keep personal data from entering the U.S.
“It’s obvious not everyone is undertaking the level of assessment that’s required,” said Eduardo Ustaran, co-head of the privacy and cybersecurity practice at law firm Hogan Lovells International LLP.
The EU court ruling last July said U.S. government surveillance poses a threat to Europeans’ privacy and companies’ safeguards must guarantee that data won’t be exposed. U.S. laws can require companies to provide customer data for a law enforcement investigation.
Portugal’s regulator received about a dozen complaints related to how the statistical institute collected personal data for the country’s census and ordered the institute to stop sending data to the U.S. within 12 hours of its decision, said Clara Guerra, a spokeswoman for the authority.
“It was an immediate risk for data subjects. We’re talking about the whole population of residents in a country,” she said. Census respondents provided their full name and could opt to answer questions about their health and religion, she said. Those two issues are considered especially sensitive types of data under the EU’s 2018 General Data Protection Regulation, the bloc’ strict privacy law.
Ms. Guerra said it didn’t matter if the statistical institute actually transferred data to the U.S. but doing so was possible under its contract with Cloudflare and there weren’t protections to safeguard Europeans’ rights.
Cloudflare said in a statement that the institute didn’t transfer any personal data to the U.S. The institute stopped using the technology company’s services, said Alissa Starzak, Cloudflare’s head of public policy. The Portuguese statistical institute didn’t respond to a request for comment.
Ms. Starzak said that after the EU court ruling last July, Cloudflare customers requested safeguards such as guarantees that their data wouldn’t leave the union. The company introduced services shortly after the ruling that made it easier for customers to control where their data is stored. Some opted for safeguards that are stronger than those privacy regulators recommended, such as ensuring data won’t leave a jurisdiction, she said.
“Nobody wants to be the entity who is targeted. If you’re worried about it, it’s much easier to be cautious,” said Cloudflare’s Ms. Starzak.
In Bavaria, Germany, the privacy authority asked a company what safeguards it used to protect email addresses from individuals who received a newsletter operated by Rocket Science Group LLC’s Mailchimp, a marketing technology company based in Atlanta.
The company that used Mailchimp stopped using the newsletter service, a spokeswoman for the authority said. She declined to name the company. Mailchimp declined to comment.
The EU court ruling in July prompted companies to assess whether they can continue transferring data to the U.S., and also led privacy advocates to file lawsuits seeking to stop data from traveling out of the EU.
A group of 169 French drivers for Uber Technologies Inc. filed a lawsuit in February in the country’s top court asking for the ride-hailing company to stop sending drivers’ personal information to the U.S.
“This data can be used by any U.S. authority without any control,” Jérôme Giusti, a lawyer representing the drivers, said in an email. An Uber spokesman said, “We do not share our users’ personal data for commercial purposes without an appropriate legal basis, or sufficiently aggregated not allowing identification of our users.”
More scrutiny of trans-Atlantic data transfers is likely, Mr. Ustaran said. The privacy regulator in Hamburg, for example, audited companies and government offices asking about safeguards they use to protect any data that might travel to the U.S., a spokesman said. Some adjusted their data-transfer methods, and the regulator’s office is continuing to send questionnaires to companies about how they protect data leaving the EU, he added.
Write to Catherine Stupp at [email protected]