Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.
Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?
Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.
The Trans-Atlantic Privacy Framework
On 12 April 2022, confirming what many have suspected since the joint announcement, the EU Commissioner for Justice, Didier Reynders, explained that, while there is still some time before the replacement framework can be finalised, it could be in place before the end of 2022.
In a separate discussion on the same day, Bruno Gencarelli (Head of International Data Flows and Protection, European Commission) and Christopher Hoff (Deputy Assistant Secretary for Services, US Department of Commerce) discussed the following further points about the framework, noting that they could only provide limited details at this stage:
- The replacement to the EU-US Privacy Shield will be called the “Trans-Atlantic Privacy Framework,” and like the Privacy Shield, the Framework will not be static but is intended to grow and change over time.
- The EU and US have been working together on the Framework for the past 14 months and negotiations are still ongoing—particularly in relation to the US government’s “unprecedented commitments” to a new redress mechanism for EU individuals as well as safeguards to ensure US signals intelligence activities are “necessary and proportionate” in their collection of EU citizens’ personal data and are only undertaken for defined national security objectives.
- The Framework is not intended to result in any additional principles or obligations on certifying organisations beyond those in the Privacy Shield—participating organisations will continue to be required to certify their compliance to the Privacy Shield Principles through the US Department of Commerce. Instead, the Framework, in line with Schrems II, will focus on addressing surveillance activities undertaken by US government agencies and redress mechanisms for individuals in relation to such surveillance, including through a newly-established Data Protection Review Court.
- The Schrems II decision has been the fundamental driver of negotiations to date, with the parties aiming to address each issue raised in the decision on a line-by-line basis. The goal here is to avoid an invalidation of the Framework in any future actions by Schrems or others. While legal actions are “expected,” the Framework is intended to be “a stable and durable solution” that can withstand the scrutiny of legal challenges (and the time it has taken to reach an agreement in principle, they argued, demonstrably reflects this).
- The new redress mechanism (i.e. the Data Protection Review Court) will have authority to adjudicate claims and enforce binding remedial measures, and it is being developed through the US executive branch. Notwithstanding the link to the executive branch, steps will be taken to ensure the Data Protection Review Court’s independence (including by the appointment of judges from outside the US government, together with related appointment and removal protections). Further information on the Data Protection Review Court and other safeguards under the Framework is to be provided in due course.
- Although the Framework is being negotiated with the aim of ultimately achieving an adequacy decision under the GDPR, it is also intended to provide a binding right of redress and safeguards for other international data transfer mechanisms under the GDPR, including SCCs and binding corporate rules (“BCRs”) (meaning that the process of conducting transfer impact assessments with respect to transfers to the US should be significantly more straightforward once the US Executive Order is in place).
- In terms of timing, the Executive Order now needs to be drafted, negotiated, and agreed with the EU, which is expected to take some time. Although neither side has given a definitive timeline, this process could be completed in a matter of months. This will then kick start the European Commission’s adequacy decision process, which will require a formal opinion from the European Data Protection Board (“EDPB”), a positive vote from EU Member States, and ultimately, approval from the European Commission, which is expected to take approximately six months.
A path forward for other adequacy decisions?
The current expectation is that the work being done on the Framework can be leveraged and applied to other transfer regimes, including in the UK and Switzerland. Hoff confirmed that, in conjunction with negotiations regarding the Framework, the US government has engaged in discussions with the UK government around international transfers from other jurisdictions.
Joe Jones (Deputy Director of the International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport) also recently confirmed this, explaining that the UK plans to apply the work undertaken by the US and EU more broadly to form “durable and sustainable” solutions with other UK partners, which might involve expanding the Framework to create a “multilateral mechanism.” Jones also reiterated that the UK is prioritising adequacy decisions with the US, Australia, Brazil, Colombia, Dubai, India, Indonesia, Kenya, the Republic of Korea, and Singapore; the UK is in “progressed discussions” with its close partners in this regard and aims to formalize adequacy decisions before the end of 2022.
While Jones did not provide further details as to whether all these adequacy decisions would be based on the Framework (or whether certain decisions would be granted to the territories as a whole), he suggested that the UK needed to take a more sustainable approach to adequacy decisions, including by perhaps softening some of the sharper edges to the UK GDPR and by acknowledging that different data protection measures can still provide equivalent levels of protection. According to Jones, third country laws do not need to mirror the UK GDPR and the UK Government needs to “find commonality rather than forcing others to get to the same standards.”
These updates on the Framework are undoubtedly great news for businesses on both sides of the Atlantic—in particular for SMEs, which were the majority of organisations certifying to the Privacy Shield and were therefore disproportionately affected by its invalidation. If the Framework can withstand the scrutiny of Schrems III, it will create far more certainty in an area that has been subject to prolonged and repeated legal challenge.
That, however, is still a big “if”—two successive transfer regimes, which both received adequacy status from the European Commission, were unable to withstand legal challenge by Schrems, and the “unprecedented commitments” being made by the US Government are arguably similar to those intended under the old Privacy Shield. In addition, the approach to using an Executive Order (rather than implementing a formal federal law) also raises concerns—in particular, given that there are arguably political motivations underlying the EU’s position on international transfers and its approach to adequacy decisions, future US government administrations could conceivably change their course again regarding signals intelligence activities and revoke the order, effectively invalidating the Framework at the whim of politicians.
Those organisations that spent their time and resources on the Safe Harbor and Privacy Shield may (understandably) be reluctant to jump straight into the Framework, particularly when they have likely spent significant time recently undertaking transfer impact assessments and putting in place SCCs and related safeguards with data exporters subject to the GDPR. For those organisations that have maintained compliance with or continued to self-certify to the Privacy Shield Principles since 2020, however, that jump may not be so significant. In addition, organisations may prefer to transfer to US organisations that have certified to the Framework instead (though the Executive Order should address this), considering the continued uncertainties around the use of SCCs to transfer personal data to the US (particularly when those importers require access to the data in the clear), together with the looming threat of increased enforcement efforts by EU supervisory authorities in light of Schrems II.
The time taken to reach this agreement in principle also shouldn’t be ignored and may indicate real progress has been made. The fact that negotiations have taken 14 months to date may reflect a commitment from both sides to substantively address Schrems II. Given that it only took approximately four months to reach an agreement in principle on the Privacy Shield (and a further five months for the Privacy Shield to receive its adequacy decision status), we would hope that this time has indeed been spent on addressing Schrems’ concerns. There is a chance, however, those that are slightly more cynical may suggest that the delay is potentially more indicative of the political and economic drivers at play, rather than a mutual and concerted effort to uphold the rights of EU citizens.
On the proposed timing for reaching a new adequacy decision, the (political) agreement in principle now arguably enables both the EU and US to begin accelerating the process—though an adequacy decision before the end of 2022 still seems optimistic. In particular, the details in the Executive Order (which still needs to be drafted) and the approach to the Data Protection Review Court are likely to be sticking points. The EDPB has already commented that it is looking forward to closely reviewing the new safeguards and redress mechanism (specifically around the Court’s access to personal data, its ability to adopt decisions which are binding on US intelligence agencies, and whether there is any judicial remedy against its decisions). These, together with other outstanding uncertainties, could conceivably delay the process, at least until further information is provided and the Executive Order drafted. For example,
- the Data Protection Review Court is unlikely to be an official federal court (i.e. created by federal law)—it is unclear how much weight will be given to this, on the basis that both the Schrems I and II decisions echoed that this was not necessarily a critical factor, provided the redress mechanism had sufficient independence and could issue binding decisions; and
- it is unclear how the Data Protection Review Court will actually function in practice, other than to address academic or theoretical risks related to surveillance activities. In particular, how will EU citizens actually use the Data Protection Review Court if they are unaware that their personal data has been subject to US surveillance, particularly if the processing activities are classified as state secrets? It is also widely known that the Privacy Shield’s Ombudsperson did not receive any complaints from EU citizens throughout the life of the Privacy Shield.
On a more positive note, the potential application of the safeguards and Data Protection Review Court to other GDPR transfer mechanisms, such as the SCCs, will be welcomed by all. In theory, once the Executive Order is in force, data exporters under the GDPR will be able to document this in their transfer impact assessments as providing adequate safeguards when transferring personal data to recipients in the US (whether or not the recipient requires access to the data in the clear). This should significantly reduce the current burden and uncertainty around the use of SCCs, which all stem from the Schrems II decision. Organisations should keep in mind, however, that the Framework (and the Data Protection Review Court and related safeguards) will only apply to transfers under the EU GDPR to the US. Organisations involved in transfers to third parties in other third countries or pursuant to other legal regimes, such as the UK GDPR, will need to continue with their current approach to SCCs and transfer impact assessments. While the comments from Jones on progress of the UK approach are encouraging, it remains to be seen how long it will take for the UK to adopt its own decisions and whether the UK Government will need to wait for the European Commission’s adequacy decision on the Framework before it can accelerate its US adequacy determination. We also shouldn’t forget that the UK is walking a tightrope here—if the UK goes too far in its own direction (including by granting its own adequacy decisions without reciprocation from the European Commission), then there is a risk that the UK’s adequacy status under the GDPR could be revoked.