On 20th September, representatives from the EU’s Data Protection division and the US Department of Commerce met to conduct the first annual review of the EU-U.S. Privacy Shield Framework. The new framework was established in 2016 to replace the previous EU-U.S. Safe Harbour agreement, which, the European Commission stressed, “can no longer serve as a legal basis for transfers of personal data to the U.S.” (1), following the EU’s ruling in the Max Schrems v. Data Commission case.
A carefully-worded official Joint Press Statement notes that “The first annual review marks an important milestone for the Framework… U.S. and EU officials welcomed the information shared by Privacy Shield participants …. Officials noted that this input will lead to continued improvements to the functioning of the program.” (2)
So what does this mean?
It’s clear to commentators such as D2 Legal Technology LLP, writing in the respected Lexology website (3), that “the Privacy Shield remains subject to criticism that it does not fully protect the fundamental rights of individuals provided under EU privacy law. For example, there are concerns surrounding the lack of sufficient protection … Additionally, concerns remain that the Privacy Shield would not able to control how US government agencies access EU resident personal data, once it is in the US.”
It also notes that a successful challenge of the Max Schrems kind would mean that organisations relying solely on the Privacy Shield to effect legal transfers of EU residents’ personal data into the US “would face, overnight, the unenviable choice of being in breach of EU data protection laws or stopping such transfers.”
The Privacy Shield is already facing challenges from European officials who, behind the scenes, “remain unhappy about the US stalling on making changes that bring it in line with data protection laws” (4). Both sides recognise that many companies have not signed up to the new Privacy Shield register while its fate remains uncertain. Other commentators note that the Privacy Shield is essentially a rebranding of the Safe Harbour agreement without offering additional protection to bring it into line with EU standards (5).
Additionally – the influential ‘Article 29 Working Party’ which is made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission – published a statement (6) following the establishment of the Privacy Shield. It noted “A number of concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU… It remains unclear how the Privacy Shield Principles shall apply to processors” – such as online Roadshow and IPO Research providers.
What effect will the GDPR have?
From May 2018, the General Data Protection Regulations come into force, signalling the most dramatic and far-reaching changes to data protection across the EU for 20 years. Despite the UK being in the Brexit process, it has signed up to inclusion of the GDPR along with its European neighbours.
The GDPR imposes significant restrictions on the transfer of personal data outside the European Union. Personal data within the meaning of the regulations includes all of the information typically required and collected by online service providers for Roadshow and IPO Research, such as names, addresses, email addresses, telephone numbers, and IP addresses.
Fines for unauthorised cross-border data transfer are steep: 4% of the organisation’s annual global turnover or Euro 20m. And according to Lexology “The GDPR also introduces regular reviews of Adequacy Decisions granted by the European Commission to non-EU jurisdictions. Such reviews would likely include the Privacy Shield, further increasing the possibility that the Privacy Shield may be found to offer insufficient protection under EU privacy law.”
So what does this mean for syndicate and capital markets teams and their clients?
Using a US-headquartered provider of online Roadshows or IPO Research is now riskier than ever. The GDPR, far from alleviating the situation, will put further strain on already precarious arrangements. Relying on the Privacy Shield to afford adequate cross-border data protection, and in advance of clarification of effective mechanisms under the GDPR and US-based providers’ introduction of measures to meet such mechanisms, means that clients’ data – and deals – remain vulnerable.
What’s the alternative?
Syndicate and capital markets teams can avoid putting their deals – as well as investors’ and clients’ personal data – at risk by using iRoadshow and ipoResearchOnline, which specifically host data in Jersey, officially recognised by the EU as providing adequate protection. iRoadshow and ipoResearchOnline additionally provide the most secure platforms available, protecting client files with dynamic watermarking, 128-bit and 256-bit encryption and a host of other security measures.
With alternatives such as iRoadshow and ipoResearchOnline available, why put your deals at risk?