Amid the war in Ukraine, privacy experts, however, expressed concern that the board is being too soft on Russia and the risks it could pose to Europeans’ data.
This week’s statement seemed disproportionately “soft,” especially compared with the group’s tough stance on data flowing to the US that focused on analysis of the risks of American government surveillance to Europeans’ privacy, said Eduardo Ustaran, a partner in the London office of law firm Hogan Lovells International LLP.
The regulators didn’t cite the risks from the government in their statement on Russia, he pointed out, adding, “They seem to be treating Russia as any other country.”
Regulators are monitoring legal changes in Russia and how they could affect any data being moved through from the EU, the document said. A spokeswoman for the umbrella group said the statement was intended as a call for businesses to use caution when they transfer data, rather than to promote economic relations with Russia.
“Transfers to Russia are still a reality today: despite the economic sanctions, frequent exchanges of personal data occur on a daily basis between EEA countries and Russia,” she said, referring to the European Economic Area, which includes the 27 EU countries as well as Norway, Liechtenstein and Iceland.
The document didn’t name the European countries scrutinizing data flows to Russia or disclose when their inquiries began. The board’s spokeswoman didn’t respond to a question about which countries are looking into the issue. Several regulators’ offices in European countries didn’t respond to requests for comment.
The EU doesn’t have an adequacy arrangement with Russia, a European legal framework that allows Europeans’ personal data to move freely to a particular country. Without such a deal, companies moving data abroad need to use special safeguards and legal contracts guaranteeing any European’s information will be kept safe.
The US hasn’t had an EU adequacy deal since the EU’s top court invalidated the Privacy Shield framework in 2020. Negotiators struck a replacement agreement in March, but it hasn’t yet been approved.
Max Schrems, the Austrian lawyer whose legal complaint about data moving to the US ultimately brought down Privacy Shield, said, “Overall, Europe will have to check much better where they outsource personal data to. We now debate the dependence on energy imports; digital dependencies will be next.”
Russia’s war in Ukraine raises the risks for data such as the location data of Europeans in neighboring countries, said Gabriela Zanfir-Fortuna, vice president for global privacy at the Future of Privacy Forum think tank.
“Think about the fact that location data, content of electronic communications, all of this is personal data. If you make this data accessible to countries or servers in Russia, which is actively targeting civilians at your border, I daresay this is actually a change that should be taken into account,” Dr. Zanfir-Fortuna said.
The EU and US in May said Russia was responsible for a Feb. 24 attack on the satellite-communications company Viasat Inc.
The attack, which happened on the same day as Russia’s military invasion of Ukraine, took down internet connections for thousands of Ukrainians and people in other European countries, and knocked out remote-control systems for thousands of German wind turbines.
—David Uberti contributed to this article.
Write to Catherine Stupp at [email protected]
Credit: www.Businesshala.com /