‘Back to Basics for Startups’ – International Data Transfers
Any entrepreneur is just an idea and the right data set away from a startup. As global actors, startups benefit from transferring data across borders to expand their customer base and scale their businesses. The General Data Protection Regulation (GDPR), the Data Governance Act (DGA) and the Data Act are three key policies that contain specific provisions on how to transfer data outside the EU territory. Let’s go back to the basics to understand how startups are impacted by complex EU data and privacy regulations and the mechanisms they have to transfer data.
The General Data Protection Regulation (GDPR)
The GDPR is a key piece of EU privacy law that, since it became enforceable in 2018, regulates the processing and transfer of personal data. What it stands for is simple: when personal data is transferred outside the EU, it is expected to be treated with the same level of protection as in the EU. That level of protection is judged by the European Commission through an adequacy decision. For now, only the following countries have been granted adequacy: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom and Uruguay.
What do startups do when there is no adequacy framework? In such a situation, startups can transfer personal data through standard contractual clauses (SCCs) and binding corporate rules (BCRs). However, these measures are not particularly startup-friendly as they are highly time and resource consuming.
Startups have struggled to implement the GDPR despite their best efforts to comply with all EU regulations. The GDPR has presented an unprecedented complexity challenge for smaller actors with fewer resources, to the extent that many new businesses have emerged to provide advisory services or technical solutions to be GDPR-compliant, which startups often can’t afford. In addition to these implementation issues, many of the normative pillars of this regulation, such as data minimisation, effectively hamper innovation, especially the development of artificial intelligence systems and similar data-driven technologies that startups can leverage to compete with incumbent players. Granting startups greater flexibility in their data processing practices will allow them to thrive.
The GDPR also overlaps with more contemporary policies such as the Data Act (2022), thus creating a complex patchwork of regulation that smaller players don’t have the resources to grasp. Adding to the fact that the regulation lacks clarity regarding its definition and scope, one could have easily anticipated the calls to policy makers to rethink the framework and allow for the whole EU ecosystem to thrive.
The Data Governance Act (DGA)
Re-using data can be of great benefit to society both at home and abroad. Expected to come into force in September 2023, the DGA states that strict safeguards are needed when providers of data intermediation services transfer personal data, commercially sensitive data and non-personal data when this can result in a conflict with Union law or the law of relevant Member States. Hitherto, the re-use of these categories of data was infrequent and always in the hands of Member States. Thus, the DGA establishes strict rules for re-users that aim to transfer confidential data to non-EU countries (stricter conditions may apply to highly sensitive data, such as health data).
However, the DGA may have detrimental effects for startups. Indeed, when there is no adequacy decision or international treaty stipulating whether a provider of data intermediation services can transfer data relevant to this legislation or not, it is up to the provider to determine whether sharing data outside the EU goes against EU law. Placing the legal onus on startups to decide whether their data will be treated with an equivalent level of protection and when to deny access creates legal uncertainty.
The Data Act
Although still in trilogues, the Data Act is expected to create a legal framework to promote data sharing across the Union. It will do so by setting new guidelines for sharing industrial data aimed at protecting non-personal data covered by intellectual property rights and trade secrets. Like the GDPR and the DGA, the Data Act establishes new requirements to access and transfer non-personal data held in the EU when this is in contradiction with Union law or the national law of any relevant Member State. Like under the GDPR, data may only be transferred to non-EU countries that guarantee a level of IP and trade secret protection equivalent to the EU’s.
Because personal and non-personal data are often mixed in datasets, it is increasingly hard to distinguish them. Given that IP and trade secret protection rules apply regardless of the nature of data, it can be unclear for startups whether the GDPR or the Data Act applies. While Article 27 of the Data Act builds on Article 48 of the GDPR, the two provisions contain different rules and can lead to misinterpretation. More clarifications are consequently needed for startups to possess greater legal certainty. It would be helpful that when datasets are mixed with personal and non-personal data and there is no adequacy in place to govern data flows between the Union and another country, other options, such as SSCs under GDPR, are enough to meet the requirements of the Data Act. Otherwise, startups may face excessive legal uncertainty when handling data transfers under this regime.
This complex patchwork of regulations makes it very difficult for startups, actors with inherently fewer resources, to transfer data outside the EU. This is why Adequacy agreements, such as the Privacy Shield, between different jurisdictions are essential to startup ecosystems – they facilitate startups’ legal compliance, provide legal certainty and enable safe cross-border data transfers.