Irony Alert: US Could Block Personal Data Transfers To Ireland, European Home Of Digital Giants, Because GDPR Is Not Being Enforced Properly
from the biter-bit dept
Last year, the EU’s top court threw out the Privacy Shield framework for transferring personal data between the EU and US. The court decided that the NSA’s surveillance practices meant that the personal data of EU citizens was not protected to the degree required by the GDPR when it was sent to the US. This was the second time that such an agreement had been struck down: before, there was Safe Harbor, which failed for similar reasons. The absence of a simple procedure for sending EU personal data to the US is bad news for companies that need to do this on a regular basis. No wonder, then, that the US and EU are trying to come up with a new legal framework to allow it, as this CNBC story notes:
Officials from the EU and U.S. are “intensifying negotiations” on a new pact for transatlantic data transfers, trying to solve the messy issue of personal information that is transferred between the two regions.
Even if they manage to come up with one, there’s no guarantee that it won’t be shot down yet again by the courts, unless the underlying issues of NSA surveillance are addressed in some way — no easy task. Meanwhile, there’s been a fascinating development on the US side, reported here by The Irish Times:
The US Senate is to debate a proposal to limit foreign countries’ access to US citizens’ personal data and to introduce a licence requirement for foreign companies that trade in this information.
The draft “Protecting Americans’ Data From Foreign Surveillance Act”, presented on Thursday by Democratic Senator Ron Wyden of Oregon, is aimed primarily at curbing the sale and theft of data by “shady data brokers” to “hostile” foreign governments such as China.
The law may be aimed primarily at China, but its reach is wide, and it could hit an unlikely target. As the Irish Council for Civil Liberties (ICCL) explains, the new Bill (pdf) aims to stop the personal data of US citizens being transferred to locations with inadequate data protection — just as the EU’s GDPR does. But according to the ICCL, one country that may fall into this category of dodgy data handling is Ireland:
ICCL understands from those who wrote the draft Bill that Ireland’s failure to enforce the GDPR is of particular concern. The Bill intentionally uses language from the GDPR, and targets this enforcement failure. The draft Bill makes clear that merely enacting strong data protection law such as the GDPR is not enough. That law must be enforced.
Most digital giants have their European headquarters in Ireland. Under the GDPR, it is Ireland’s Data Protection Commission (DPC) that must investigate and ultimately fine these companies for their GDPR infringements anywhere in the EU. The DPC has opened many data privacy inquiries (pdf), but has so far failed to impose serious fines. Without strict enforcement by the Irish authorities, there is a growing feeling that the GDPR could be fatally undermined. Hence the risk that the US might not allow personal data to be transferred to Ireland, if the new “Protecting Americans’ Data From Foreign Surveillance Act” becomes law. Given the long-standing concerns over the protection of personal data flows from the EU to the US, that would be a rather ironic turn of events.