As 2022 draws to a close, the international data transfer landscape from Europe continues to be dynamic, with anticipated updates including a further milestone on the Transatlantic Data Privacy Framework (“Framework”) for EU to U.S. data transfers, a new set of model clauses for data transfers to non-EU data importers who are already within the scope of the GDPR, and continued developments in cookie monitoring and enforcement.

1) EU-U.S. Transatlantic Data Privacy Framework

Following the issuing of an Executive Order in October 2022 which sets out the foundations of the Framework (for more information, see our blog post here), across the pond the European Commission has announced that it intends to issue a draft adequacy decision for the U.S. in December 2022. Once enforced, the adequacy decision will allow organizations who are certified under the Framework to transfer personal data from the EU to the U.S. without the need for a data transfer mechanism, such as the European Commission’s standard contractual clauses (“SCCs”), or to conduct a transfer risk assessment to evaluate and validate such data transfers.

In 2023, we can expect to see the practical implementation of the various safeguards identified in the Executive Order, such as the establishment of an administrative complaint system and the Data Protection Review Court, as identified in the seminal Schrems II judgement in 2020. The approved text of the Framework’s adequacy decision may also be available as soon as in the spring; however, privacy interest groups (such as NOYB, whose founder Max Schrems of Schrems II fame) have already begun to criticize the Framework, particularly over the standard of proportionality proposed for U.S. signals intelligence activities and the effectiveness of the proposed redress mechanisms, and it remains to be seen whether it will be subject to legal challenge like its predecessors. Regardless, the approved text will provide much awaited clarity to organizations, and once published organizations should assess whether the Framework is available to them as a data transfer mechanism, whether they can comply with the Framework’s requirements, and/or whether it should consider an alternative data transfer mechanism.

2) New Standard Contractual Clauses to cover the transfer of personal data to importers within the scope of the GDPR

In May 2022, the European Commission published a Q&A on its 2021 SCCs. In this Q&A, the European Commission also stated that it was in the process of developing a new set of SCCs to cover transfers to data importers located outside of the European Economic Area who do not benefit from an adequacy decision, but who are already subject to the GDPR by virtue of Art. 3 GDPR. This follows the approach taken by the European Data Protection Board’s guidance on data transfers published in November 2021, which requires organizations to continue to assess the risks and adopt supplementary measures even though the relevant transfer does not constitute a “data transfer” (i.e. where the data importer is already subject to the GDPR). The proposed SCCs are thus designed to avoid duplicating and deviating from the obligations of the GDPR that organizations are already required to comply with, and will take into account the requirements that already apply directly to those controllers and processors under the GDPR. We understand that these proposed SCCs may be published as soon as in the spring of 2023.

3) Continued scrutiny on data transfers arising through cookie usage across Europe?  

In January 2022, the Austrian data protection regulator found that a website which used free analytics from a major provider was in breach of the GDPR’s data transfer rules; in particular, the website operator (as a data exporter) was found to have failed in ensuring that personal data transferred from Europe to the U.S. was provided with an adequate level of protection (for more information, see our blog post here).

The use of these analytics and similar trackers continues to be ubiquitous across websites globally; although some providers have updated their privacy standards to address concerns, the list of European regulators that have voiced their objections has been steadily growing in 2022, and currently include the Austrian, French, Italian, German (Rhineland), Liechtensteiner, Norwegian, Dutch and Danish data protection regulators. Overall, cookie monitoring and enforcement by European data protection regulators has seen an increase in 2022, and may be indicative of a pattern of continued enforcement into 2023.

Takeaways

The first half of 2023 therefore promises to be an interesting one, particularly with the much-anticipated Framework’s adequacy decision and new SCCs expected to be published by then. Both the adequacy decision and the new SCCs are likely to aid organizations in relieving some of their data transfer obligations under the GDPR, although as such measures are not yet in force organizations should continue complying with existing obligations, including monitoring their use of cookies that may affect a transfer of personal data. While organizations should continue to conduct transfer impact assessments prior to transferring personal data subject to the GDPR to the U.S., the Framework’s developments can, and indeed should, be taken into account to reflect a contemporaneous assessment of U.S. laws.