On Friday, the Rolling Stones are releasing in The Rolling Stones Studio Albums Vinyl Collection 1971-2016, a hefty new limited-edition box set that contains special 180-gram vinyl pressings of every Stones studio album from 1971’s Sticky Fingers through 2016’s Blue & Lonesome. It is the new Rolling Stones vinyl collection, transferred from original recordings and “turned up to 11” which informs today’s blog post on data transfers.

Dan Epstein, writing in Rolling Stone magazine online, in a piece entitled, “How the Rolling Stones’ Massive New Vinyl Box Came Together” profiled the sound engineer Miles Showell who lovingly remastered the original recordings “from analog transfers using a painstaking process known as half-speed mastering, the albums boast a richer, more detailed aural picture with a sparkling top end, all while keeping the punch and groove of the original recordings intact.” The work took the better part of nine months and was done largely at Abbey Road studios. Showell said of the end product, “If you imagine the original version of each album turned up to 11, to kind of quote Spinal Tap, it’s that – it’s just one better. That’s what I was going for, without disrespecting the feel and the atmosphere of what’s there.”

How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer.

However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR.

Consent.The first method to safely and legally transfer data is through consent. While this may work more easily in a B2B context, it is much more challenging in the employment context. Under GDPR an employer cannot require consent as a condition of employment. Moreover, this is carried over after the creation of the employment relationship in that an employee cannot give a valid consent. The reason is the EU holds the employer has undue influence over the employee and therefore no consent can be freely given.

Standard Contractual Clauses or Model Clauses.Armstrong noted he expects to see new form clauses at some point from EU data regulators. However, he tempered this with caution that there is currently a court challenge at the European Court of Justice (ECJ), referred from the Irish Data Protection Commissioner. Once again, these standard contractual clauses in their current form are likely to face a number of legal challenges going forward, so they may well be less safe post-GDPR go live than there were before.

Privacy Shield.Readers will recall that Privacy Shield was the regime put in place after the legal actions, led by Max Schrems, invalidated Safe Harbor. Armstrong believes that while “Privacy Shield is not dead yet, it’s certainly unwell.” One reason is that there are many Europeans who do not believe that the current US administration is respecting privacy as well as it might. Even this past week, US Secretary of Commerce Wilbur Ross, criticized GDPR in an op-ed piece in the Financial Times arguing the law was unclear, no guidance has been provided by regulators, it favored privacy rights over security and would likely cause job losses in the US.

Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme. From the European legal perspective, Privacy Shield currently faces two faces challenges before the ECJ. These are likely to be heard in 12 to 18 months. Finally, the European Parliament and the several European data protection regulators are not fans of Privacy Shield and this has hampered progress since it was brought into force. Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.”

Binding Corporate Rules. Armstrong believes this is the one area for data transfer which has benefited from GDPR go-live. Under this scenario, an organization can go to any one of the EU data regulators ask it to be a group of companies lead regulator. From this point, the companies would put in place that system that is somewhat akin to Privacy Shield; including a series of commitments from all the other the entities which make up this the corporate network. These commitments are to each other. From there the lead regulator then reviews and assess then approve the entire network’s data privacy/data protection commitments. Finally, the lead regulator goes to such other regulators in the EU, supporting these Binding Corporate Rules. It is more streamlined approach for dealing with the plethora of regulators in the EU.

Armstrong emphasized this is not a rubber stamp process but one which takes time and concerted effort. He estimated that it is an 18 month or so process. However, under GDPR there was the creation of a European Data Protection Board (EDPB) and one of its function is to help the process of getting Binding Corporate Rules approved more quickly.

Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”

While the Stone vinyl collection may seem a bit pricey, I for one have pre-ordered a copy. I cannot wait to turn up to 11 on my turntable and her the glorious sounds.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018