Trans-Atlantic data sharing arrangements and what may be on the horizon
EU-US
Current
Transfers of personal data between the EU and US are only permitted with “adequate safeguards” e.g. Standard Contractual Clauses / Binding Corporate Rules and Transfer Impact Assessments.
Adequacy was granted to the US by the EU in relation to the US Privacy Shield in 2016. The EU-US Privacy Shield had been the designed to close the gaps between the GDPR and US Data Protection law and provide a mechanism for compliance when transferring personal data between the EU and US. Under the Privacy Shield, companies were able to voluntarily apply to join the scheme and an ombudsperson was created to oversee the framework. However, in 2020 adequacy was invalidated after a challenge by Max Schrems in the European Court of Justice (ECJ). The ECJ cited concerns around unchecked access to EU data subjects personal data by US intelligence services and no mechanism for redress. The ombudsperson was not thought to be sufficiently independent from the US Government and its decisions were not binding.
Future
In March 2022 the EU and US announced a new Trans-Atlantic Privacy Framework (TAPF) to replace the Privacy Shield. The focus in designing the new scheme has been addressing the concerns raised in the Schrems judgement and working towards adequacy. The new framework still requires participating organisations to apply to the US Department of Commerce for certification in the same way as they did for the Privacy Shield. However, the key differences include:
- US Intelligence agencies will now need to satisfy that it is “necessary and proportionate” to access personal data for a valid intelligence purpose; and
- the creation of a new two-part redress mechanism including the establishment of a Data Protection Review Court.
In October, President Biden signed an Executive Order (EO) on Enhancing Safeguards for United States Signals Intelligence Activities enacting in law the commitments under the TAPF. The EO contains examples of legitimate and prohibited intelligence activities and requires privacy to be considered when intending to use bulk surveillance methods. The EO also obliges the Attorney General to establish the components of the new redress mechanism – a Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) and a Data Protection Review Court (DPRC).
Under the new redress mechanism data subjects can complain to the newly established CLPO, as a first step. The CLPO judgement can then be referred to the DPRC, if the data subject remains dissatisfied with the response. The DPRC can be considered a real breakthrough. Unlike other courts in the US, the DPRC will be made up of 3 politically neutral judges who will not be subject to interference from the US Attorney-General and will be protected from dismissal. This should provide the basis for fair, binding judgements that can instil confidence.
The European Commission are now undertaking the adequacy process and this will likely take a minimum of six months to conclude.
UK-US
Current
Post-Brexit, the UK is now responsible for its own adequacy decisions but as a starting position, the UK adopted all the EU adequacy decisions in place as of 31 December 2020. In the absence of an adequacy decision, UK-US personal data transfers will be considered a restricted transfer and require appropriate safeguards. Appropriate safeguards for restricted transfers take the form of either an International Data Transfer Agreement (IDTA) or the new EU Standard Contractual Clauses (EU SCC) plus the UK addendum. These safeguards were introduced in the UK in March 2022 to update the UK’s position post-Brexit and to conform to the Schrems II decision. The IDTA is a stand-alone agreement that is most appropriate for organisations based solely in the UK who intend to make restricted transfers. The UK addendum is an ideal mechanism for organisations that operate in both the EU and UK and make restricted transfers, as it effectively ensures the EU SCCs are additionally compliant with UK data protection legislation. Companies will have until March 2024 to update their existing arrangements to adopt the UK addendum or the IDTA and may choose either mechanism. In addition to the IDTA or UK addendum, a Transfer Risk Assessment (TRA) will be required to assess whether additional measures are required to adequately safeguard the data in line with the UK GDPR requirements.
Future
Recognising the importance of free-flowing data, the UK has announced its intention to conduct its adequacy assessment process of the US by the end of 2022. The UK has been engaging with the US closely to stabilise cross-border data flows and has welcomed the TAPF and EO signed in October. The US has signalled its intent to adopt the UK as a designated state under the EO, and enable the UK to access the redress mechanism – a likely crucial step in the adequacy assessment process.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.