It is fair to say that a lot has gone on with data recently. Google announced plans to phase out third-party cookies, which it has since delayed until 2023. Apple has made big changes focused on privacy and app tracking, only to quietly roll some of the more radical aspects of that tracking change back. Users want more privacy and tech companies are struggling to comply with that reality. Google’s antitrust woes in the U.S. are still rumbling on. Apple’s tracking changes, though watered down, have cost social media companies an estimated $10 billion.
But “big tech” is also facing some serious regulatory pressure in 2022. With much of that pressure coming from the E.U. This all started back in 2020 with the Schrems II verdict. A rather obscure ruling that has nudged several large and very noisy dominos. Which might start falling very, very soon.
But what is Schrems II and what does it all mean for international businesses? What does it mean for organizations doing business in ASEAN and the E.U.?
Let’s find out.
What is Schrems II?
In July 2020, the Court of Justice of the European Union (CJEU) issued a verdict that invalidated the EU-US data flow arrangement, called Privacy Shield. This verdict, later to become known as Schrems II after Max Schrems, an Austrian lawyer and activist.
The verdict to strike down the Privacy Shield focused on concerns around surveillance by U.S. state and law enforcement agencies. The press release for the ruling explicitly states that “that the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”
This interference by U.S. authorities was found to be incompatible with E.U. data protection legislation that protects the rights of E.U. citizens.
The Schrems II verdict focuses on bulk outsourcing of data processing, rather than what is referred to as “necessary” transfers. These include things like sending an email or ordering a product. After a public consultation, guidance was issued and new practices were put in place in June 2021. The Privacy Shield was immediately invalidated but regulators are giving organizations time to adapt and put new processes in place.
However, NOYB, Max Schrems’ group who are behind the verdict, has pursued 101 complaints on EU-US transfers since the ruling. This pursuit has since resulted in the recent ruling by the Austrian Data Protection Authority, stating that Google Analytics contravenes E.U. GDPR regulations.
Why Does Schrems II Matter?
Many companies relied on the Privacy Shield arrangement to transfer data between the E.U. and the U.S. to do business.
Now the Privacy Shield has gone, European companies have to conduct individual assessments of every data transfer to a non-EU country for compliance purposes.
Data transfers are a core component of many international companies’ business. So anything that holds this process up can cause a serious headache. It is now up to these companies to conduct a Transfer Risk Assessment if they are transferring data to the U.S. or any other third party country.
In-depth guidance on compliance measures is available here.
Implications in ASEAN
As any territory in ASEAN would be classed as a “third party country” there are implications for organizations who conduct business in both ASEAN countries and the E.U., if that business involves regular data transfers. Any data transfer from the E.U. to an ASEAN country is subject to a Transfer Risk Assessment under Schrems II.
The good news is that many countries in ASEAN have data protection laws in place that are similar to the E.U. GDPR laws. In Thailand, the Personal Data Protection Act (PDPA) came into effect in June 2021.
The bad news is that many organizations have struggled with PDPA and there is not much guidance for businesses looking to move data from the E.U. to ASEAN and back again. A recent PWC survey aimed at businesses in Thailand stated that “only 5% of respondents have implemented actions to meet all or most of the PDPA requirements.” The survey also highlighted that 60% of respondents had not yet appointed a data protection officer.
What This Means For Your Business
If your business does move data internationally, compliance with different local data protection laws is a must. Non-compliance with PDPA in Thailand can incur a fine of up to 5 million THB and criminal penalties that can even include imprisonment. Non-compliance with E.U data laws can incur a fine of up to 20 million Euros or 4% of annual global turnover, whichever is higher.
So the penalties for organizations in ASEAN who are not compliant with data laws in all the territories in which they do business are severe. A company could, in theory, be fined in both the E.U. and in the ASEAN territory (or territories) they also operate in.
Although most businesses are not at risk, this does potentially affect SME businesses like marketing agencies, who may have clients all over the world. So appointing a data protection officer to ensure compliance in different territories can substantially lower risk.
Actions You Can Take:
- Appoint a DPO (Data Protection Officer) to ensure compliance with local and international privacy legislation
- Conduct a risk audit on the data you hold
Google Analytics In The E.U.
Recent rulings on Google Analytics in the Austrian court has put this whole issue in the spotlight. For companies like Google, though they will publicly complain, the simple answer is more regional data centers in Europe. Plus Google will have to encrypt the data held in Google Analytics. Although it could be a substantial expense, it is the most likely solution for the potentially huge problem of Google Analytics being subject to an E.U. Court of Justice ruling and a flat out ban.
According to estimates, 28 million websites worldwide use Google Analytics. So any disruption could cause a real headache for businesses. Google itself has been vocal about the need for “a new EU-US data transfer framework”.
Although some of Google’s complaints could be seen as an attempt to save money, Kent Walker makes a point in the blog post that highlights “the lack of legal stability for international data flows facing the entire European and American business ecosystem.” The point is valid, despite concerns around Google’s practices. Global business needs certainty and a robust solution that is easy to implement.
It’s All About The Data
The E.U. itself realizes that where there are risks in data transfers to non-E.U. countries, “supplementary measures” may be applied to raise the level of protection required. AWS won a legal challenge in France because proper measures had been taken to lower privacy risks. The data in question was encrypted and only held for three months.
This shows that there are solutions that Google could take to avoid an E.U. wide ban on Google Analytics. A combination of more local data centers and encryption of the data they hold is the most likely compromise.
For now the story is developing. More territories in the E.U. may follow Austria’s lead. But crucially many businesses, who do not have the bottomless pit of money that Google has, are unsure of what to do. The best thing those businesses can do is to ensure compliance with local data protection legislation.
It may also be wise to look at possible alternatives to Google Analytics.
Talk to MAQE
If you need help auditing your data and ensuring compliance with PDPA and other data protection legislation, talk to MAQE. We have experience in dealing with data protection practices in a variety of sectors, including financial services. Get in touch with us via [email protected] to discuss your needs.