One evolving aspect of data protection law which many will have been following closely in recent years, is that relating to overseas transfers – in particular, transfers from the UK/EU to the US and indeed other countries not subject to an adequacy decision.
Transfers to the US especially have been subject to close judicial scrutiny by the European Court, with the Court of Justice of the European Union handing down a decision in July 2020 in the Schrems II case, which invalidated the EU-US Privacy Shield framework. Privacy Shield had offered a GDPR compliant solution for transfers of personal data out of the EU to companies in the US who subscribed to and complied with the framework – but it was ultimately declared invalid, due to invasive US surveillance programmes.
Since the Schrems II ruling, European organisations transferring personal data to the US have therefore had to resort to other permitted mechanisms under the GDPR, notably reliance on the standard contractual clauses (SCCs). However, SCCs can now only be used following a case-by-case analysis of the third country’s laws (in this case US laws) and practices known as a ‘Transfer Impact Assessment’. Where those laws and practices risk impinging on the effectiveness of the protections in the SCCs, the implementation of ‘supplementary measures’ to protect personal data are required. Recent enforcement decisions from EU supervisory authorities suggest that supplementary measures are a prerequisite in respect of personal data transfers to the US.
Therefore, many businesses will have tentatively welcomed an announcement made at the end of March 2022 by the US government and European Commission (EC), that a political agreement in principle had been reached between the parties, in relation to a new Trans-Atlantic Data Privacy Framework.
How this political agreement translates into concrete legal proposals remains to be seen, in particular, what this would look like in terms of specific obligations on the data importer, assurances from the US authorities, and rights and redress for data subjects etc., but it appears that this could effectively be a new, enhanced version of the Privacy Shield. In order for the EC to make a declaration of adequacy in respect of the new framework, the European Data Protection Board (EDPB) will need to carefully examine and scrutinise the details of the new framework, and give a non-binding opinion to the EC, before Members States are asked to approve the framework. Whilst it is early days still, it was encouraging to note that the EDPB published a statement last week, cautiously welcoming the announcement of the agreement in principle.
In the announcement on the 6th April (available here), the EDPB mentioned that: “The commitment of the U.S. highest authorities to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA individuals) when their data are transferred to the U.S. is a positive first step in the right direction.”
The EPDB’s statement appeared slightly sceptical in its tone, and it stated that in particular, it would be analysing the following aspects of the new framework in detail:
- how the framework ensures that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate;
- to what extent a new independent redress mechanism respects the EEA individuals’ right to an effective remedy and to a fair trial;
- whether any new authority who is part of this redress mechanism has access to relevant information, including personal data, when exercising its mission and can adopt decisions binding on the intelligence services; and
- whether there is a judicial remedy against this authority’s decisions or inaction.
For the time being the proposed framework does not change the position for European organisations sending personal data to the US, who should, until the status of the new framework becomes more clear, continue to implement the measures referred to above, to ensure the transfer is compliant. This is particularly important given the aforementioned recent enforcement action taken by certain supervisory authorities for non-compliance in this area. However, if approved, the framework will hopefully enable transfers to be carried out in a more efficient manner, due to less legal documentation being required between the parties wishing to effect the transfer (although it is not clear presently whether a Transfer Impact Assessment would still need to be undertaken). It will also be interesting to see if the UK adopts a similar framework with the US – we will of course be following up in due course with updates as and when any further announcements are made.
