It Just Got Harder for AI Companies to Import European Personal Data
In a judgment issued last week, the European Court of Justice invalidated the EU-U.S. Privacy Shield Program by which businesses in the United States could self-certify their compliance with a framework of principles for data protection. This judgment is the top privacy story for multinational companies this year. What does this mean for artificial intelligence companies? For AI companies using personal data to train machine learning systems, the answer is that it just got harder to import personal data from the European Union (EU) and broader European Economic Area (EEA) to the United States.
The background is that some U.S. businesses in the artificial intelligence field are importing personal data from European countries to train machine learning systems with a myriad of applications. Companies with a physical presence in the EEA, companies directing marketing efforts to EEA member states, and companies monitoring the behavior of individuals present in EEA member states are subject to the European Union’s General Data Protection Regulation. For more details, see my earlier blog post. In addition, other U.S. businesses may provide services to another U.S. business that has already imported personal data from EEA countries. Such U.S. businesses must then agree by contract to protect personal data from those countries with the same level of protection they would receive under GDPR in the EEA. Therefore, some AI companies are required, directly or indirectly, to meet GDPR standards.
GDPR allows for the free flow of personal data from EEA countries to countries that the European Commission has found to have an adequate level of data protection. So if the laws in those countries are stringent enough, then there is no barrier to exporting personal data to those countries from the EEA. And by “export,” I mean that a company in an EEA member state could, for instance, send the personal data to a vendor in one of those countries. As one example, a cloud storage provider in Canada could receive personal data from EEA companies without any GDPR-imposed restrictions. The laws in Canada are stringent enough to protect personal data. Other countries with such adequacy decisions include Argentina, Israel, Japan, Switzerland, and New Zealand.
For countries that don’t have stringent enough laws, some “transfer mechanism” must be in place to allow for the export of personal data from EEA member states to those countries. The United States is one of those countries. The three main options for transfer mechanisms that U.S. businesses chose to use to import personal data have been:
Standard contract terms (called “Standard Contractual Clauses”), which were developed to allow for a personal data importer to commit to an adequate level of protection by contract
“Binding corporate rules” that allows for an intra-enterprise transfer of personal data, say, within a conglomerate of affiliated multinational companies
Privacy Shield allowed a U.S. AI company to self-certify to the U.S. Department of Commerce that it is in compliance with a framework of privacy and security principles. Once registered, the self-certification meant that a company didn’t have to include the lengthy and cumbersome Standard Contractual Clauses into every cross-border deal, thereby speeding up the contracting process and making it more efficient. Privacy Shield was therefore attractive for U.S. companies doing frequent deals to import personal data from EEA member states. Binding corporate rules are only for intra-enterprise transfers and so technically don’t apply to a transaction between unrelated customers and vendors overseas. Moreover, they require advance approval by a data protection authority.
Last week’s decision means that AI companies can no longer rely on the Privacy Shield program to import personal data from EEA member states to the U.S. There might be a way to make binding corporate rules work for intra-enterprise transfers to the U.S. But for the vast majority of U.S.-based AI companies, they will now need to use the Standard Contractual Clauses as a transfer mechanism. What does that mean as a practical matter?
First, it means that AI companies reliant on Privacy Shield as a transfer mechanism and describing their transfers in their privacy policies must now revise their privacy policies right away. Any mention of reliance on Privacy Shield as a current means of personal data importation must now be eliminated. The government is maintaining and enforcing the Privacy Shield program for now, so companies should consider withdrawing from the program, although they will need to continue protecting personal data already collected under the Privacy Shield principles. One approach for privacy policies is to mention continued compliance with Privacy Shield for data already processed but that other transfer mechanisms will be used going forward.
Second, any data processing addendums or agreements with European entities calling out Privacy Shield as the transfer mechanism used must now be amended to delete references to Privacy Shield. Instead, they must make sure Standard Contractual Clauses are now in place. If the AI business struck a lot of these deals, there will be a lot of time and effort spent to review relevant agreements and renegotiate each one with counter parties in EEA countries.
The judgment allowed for continued use of the Standard Contractual Clauses for now. Nonetheless, the problems with Privacy Shield may also be determined later to apply to the Standard Contractual Clauses as well. The unfortunate thing about the Court of Justice’s opinion is that it was not based on a failure by U.S. businesses to take proper care of personal data from EEA countries. On the contrary, the decision was based on the U.S. government’s surveillance of EEA residents without privacy rights such as the right to access what information was collected, the right to rectify incorrect personal data or the right of erasure of that data. The U.S. government does not have official mechanisms to allow for EEA residents to have such rights.
Therefore, no matter how well-behaved U.S. businesses were in terms of their compliance with Privacy Shield, the U.S. federal government’s surveillance meant EEA residents could not have comprehensive adequate privacy protections in the U.S. But the same reasoning could apply to Standard Contractual Clauses as well. Businesses could agree privately to provide adequate protection using Standard Contractual Clauses. But if the U.S. government could still conduct surveillance of EEA residents without affording privacy rights to them under Privacy Shield, they could do the same for companies using the Standard Contractual Clauses. If the Standard Contractual Clauses are later invalidated or do not permit the importation of personal data from Europe to the U.S., European-U.S. cross-border commerce in data will grind to a halt and disaster will ensue.