What’s this all about?
It has been announced that in principle the EU and the US have reached agreement on a new deal for data transfers from the EU to the US, which is currently being referred to as the Trans-Atlantic Data Privacy Framework/Agreement.
Briefly, under EU GDPR, international data transfers can only be made in certain ways and subject to various conditions. These include country Adequacy Decisions, Binding Corporate Rules, and, probably the most relied on mechanism by organisations, Standard (Model) Contract Clauses (SCCs).
Previously a special type of adequacy decision applied to data transfers from the EU to the US – the first one was called Safe Harbour and the second one was called Privacy Shield. Both were struck down by the Court of Justice of the European Union in matters concerning the privacy activist Max Schrems. You can find out more about the collapse of Privacy Shield in our note and film here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/. The new arrangement will replace Privacy Shield, and under this new framework data should be able to flow freely and safely between the EU and participating U.S. companies.
What’s in the new deal?
It’s understood that this new arrangement includes the following:
- A new set of rules and binding safeguards to attempt to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security – the plan is for US intelligence agencies to adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
- A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by US Intelligence authorities, which includes a Data Protection Review Court;
- “Strong obligations” for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to privacy principles through the US Department of Commerce; and,
- Specific monitoring and review mechanisms.
It is understood that some details still need to sorted out. Assuming that those are agreed, the agreement in principle will then be formally put into final legal format. The US commitments will apparently be included in an Executive Order that will form the basis of a draft adequacy decision by the European Commission to put in place the new Trans-Atlantic Data Privacy Framework/Agreement – the timetable for this is as yet unknown.
How solid is it?
It can be expected that the legitimacy of Trans-Atlantic Data Privacy Framework/Agreement will be challenged by privacy activists. For example, Max Schrems’ organization NOYB has already made the following statement: “The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision” (https://noyb.eu/en/privacy-shield-20-first-reaction-max-schrems). If such a challenge is brought it would likely take eighteen months to two years for the Court of Justice to decide.
There is another possible weakness to the Trans-Atlantic Data Privacy Framework/Agreement. A recent case that went to the US Supreme Court, FBI -v- Fazaga (https://www.scotusblog.com/wp-content/uploads/2022/03/20-828.pdf), suggests that it may prove very hard to challenge US government surveillance matters in US courts (which some other court cases in the US have also shown). It seems that the Trans-Atlantic Data Privacy Framework/Agreement is supposed to facilitate such legal challenges but the question is will the reality be that such cases are in fact very difficult if not impossible to bring?
Whilst organizations should welcome the Trans-Atlantic Data Privacy Framework/Agreement development in terms of providing legal certainty for data transfers from the EU to the US it would be wise for them to have Standard Contractual Clauses in their back pocket just in case.
For the UK, post-Brexit the UK has its own international data transfers regime and the UK is supposedly pursuing its own similar adequacy style decision with the US – it can be expected that any final arrangement between the UK and the US will be very similar to the eventual EU-US Trans-Atlantic Data Privacy Framework/Agreement.
We have written about data transfers extensively, including here https://www.corderycompliance.com/uk-idta/, here https://www.corderycompliance.com/edps-on-data-trf-compliance/, here https://www.corderycompliance.com/edpd-guidance-international-data-transfers/, here https://www.corderycompliance.com/eu-new-sccs-for-idts/, here https://www.corderycompliance.com/german-dpas-start-dt-enforcement/, here https://www.corderycompliance.com/cnpd-enforces-schrems3/, and here https://www.corderycompliance.com/eu-dpa-decisions-approved/
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
For our other news please see here https://www.corderycompliance.com/news/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785