The end of October was a busy spell in the world of data protection and privacy law. Facebook was fined £500,000 for data sharing with app developers in a way that wasn’t transparent and secure. Morrisons was found liable in a group action raised by employees after a rogue employee stole employee data. However, controversially, the even bigger news was the speech by Apple’s Chief Executive Tim Cook, praising the EU’s General Data Protection Regulation (GDPR) and called for a US equivalent.
The plea for legislative action in the US is significant especially when coming from one of the biggest tech companies in the world. At the moment, the US has a patchwork quilt of rules to protect privacy but only in specific areas (e.g. healthcare) and in some states. Without a comprehensive privacy law like we benefit from in the EU, we will continue to be unable to share personal data to the US without taking cumbersome administrative steps to protect personal data.
And why would a US privacy law help the energy sector? Ultimately, the industry depends on people. The sharing of personnel information across company groups and in collaborations is not insignificant. In many ways our UK and EU operations are inextricably linked to our friends in the US. If the US can bring their privacy laws to a status equivalent to that enjoyed in the UK and EU, then data sharing could be much simpler, which can only be a good thing for the energy sector and for our wider economy.
It would also allow companies to rely more freely on US suppliers like cloud providers, software services and other tech providers, which can drive cost savings.
There’s a long way to go yet before a US privacy law is progressed, and even if a law is adopted, the EU would need to recognise it as sufficient through an “adequacy finding”. With Brexit looming, the UK government could also make its own determination that the US law is sufficient.
In the meantime, energy companies need to carefully look at their data transfers to the US whether within their group, or to external third parties like suppliers or joint venture partners. This review will assess what steps should be put in place to ensure that personal information is shared in a manner that is compliant with European data protection law. A number of options exist each with advantages and drawbacks, but the most commonly relied-on mechanism is the use of “Standard Contractual Clauses” which are pre-approved clauses agreed by the European authorities. The difficulty with these clauses is that they are “fixed” to the transfer covered in an arrangement – any changes to the data being shared need new clauses agreed between the parties, which is often forgotten. Privacy Shield is also available for US-based companies to self-certify that they operate to the same standards as Europe. This is only really relevant for consumer facing organisations rather than oil and gas services companies with a less public facing role.
In a time where we are more connected than ever, a US privacy law should be welcomed, especially at a time when we are faced with uncertain times with Brexit looming.
Ross McKenzie is a partner based in international law firm Addleshaw Goddard’s Aberdeen office. He advises on general commercial contract work and is a specialist in data protection law particularly in the oil and gas sector.