The way that mass transfers of data between jurisdictions are handled and regulated is a significant matter for the wealth management industry, given the cross-border nature of much of its business and those of its clients. There is still a continuing tension between a need for privacy and the suppression of illicit money movements.

The conflicting interests of data security and financial transparency have been highlighted this week by an EU court’s refusal to annul a 2023 data transfer pact between the US and European Union. 

Earlier this week, a legal challenge brought before the EU’s General Court by French citizen Phillipe Latombe sought to squash the European Commission’s EU-US adequacy decision. Latombe claimed that the Privacy Shield 2.0 framework used for this agreement – replacing the earlier 2020 privacy shield approach – contained shortcomings.

The pact is the 2023 EU-US Data Transfer Framework. 

The matter is significant for private banks, wealth managers and professional services firms whose businesses span the US and European Union. At a time of concerns about cybersecurity breaches, and attempts by governments to crack down on illicit financial flows, the privacy of financial data is a live issue. It can touch on tax information exchanges, such as those involved under the US FATCA legislation and the Common Reporting Standard.

Latombe, a member of the European Parliament, had complained that the agreement allowed for disproportionate data collection, lacks transparency and adequate safeguards for Europeans’ personal information, and offers insufficient legal redress. His was the first such challenge to the agreement. As various media reports said, Latombe needed to show judges that the deal affected him directly as an individual, but he failed to make that case.

More than 2,800 US companies rely on the agreement to conduct business.

In 2023, the European Commission adopted a new adequacy decision – Privacy Shield 2.0 – to enable certain EU-US data transfers, after the former US president Joe Biden signed an executive order providing for a suite of privacy safeguards and protections.

The US-based International Association of Privacy Internationals said that this case was the third time that the adequacy of an EU-US data transfer agreement was assessed by the EU's highest courts in the last 10 years. 

“The latest ruling offers European and US businesses stability and reassurance at a time of uncertainty between the two jurisdictions fuelled by concerns around digital trade and discrepancies over regulatory approaches,” IAPP said in a statement. 

Dublin-based data protection law expert Andreas Carney of Pinsent Masons said: “We are getting somewhat used to EU-US frameworks for the transfer of personal data being legally challenged. No doubt this latest decision will be seen positively by businesses relying on Privacy Shield 2.0.”

“The adequate level of protection ensured by the US in respect of transfers of personal data to organisations in that country, as affirmed by the General Court’s judgment, is by reference to the date of adoption of the European Commission’s decision that was challenged. Whether we should read anything into this is uncertain. For now, at least, Privacy Shield 2.0 has held up to judicial scrutiny, which will give comfort to most,” Carney said.

Another law firm, Lewis Silkin, said the court’s actions bolstered the agreement, but advised against complacency.

“While today’s [3 September) decision underscores the continuing validity of the DPF [EU-US data privacy framework] as a lawful transfer mechanism, on a practical note, given the chequered history of EU-US data transfers, many organisations have already provided an alternative 'fallback’ transfer mechanism, such as SCCs [standard contractual clauses], in contracts to ensure compliance in case the DPF would be invalidated in the future,” according to a note from Alex Milner-Smith, partner and co-head of data, privacy and cyber, London, and Lee Ramsay, managing knowlege lawyer, London, at Lewis Silkin.

“So, should an appeal be lodged, there is no need to change anything until the final determination has been handed down but an audit of your data transfer mechanisms would be prudent – and for those who didn’t add in a fallback mechanism now might be the time to do so,” they said.