What next for Trans-Atlantic data processing?

Since the demise of the EU-US privacy shield in July 2020 following the Court of Justice of the European Union’s (CJEU) decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II), EU and UK based organisations have had to utilise an alternative transfer mechanism. In the EU, and the UK prior to Brexit, the mechanism used was the Standard Contractual Clauses (SCC’s), although following Brexit the UK adopted the International Data Transfer Agreement (IDTA). However, irrespective of which mechanism was used, they have both added considerable time and expense to the process. But this could be about to change (again).

The Executive Order:

On 7 October 2022, Joe Biden signed the Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (EO) which seeks to address the concerns raised by the CJEU in Schrems II and restore the transatlantic flow of personal data. If successful, the scheme will be called the EU-US Data Privacy Framework and will remove the need for EU and UK based data exporters to carry out transfer impact assessments or use the SCC’s or IDTA when transferring to certified US organisations, thereby streamlining the process.

The EO will, according to a White House fact sheet published on 7 October 2022, implement a number of steps in order to meet its objectives, including:

  • The implementation of safeguards to restrict US signals intelligence activities to the ‘…pursuit of defined national security objectives’ and only where necessary and proportionate to advance a ‘…validated intelligence priority’;
  • The extension of legal, oversight, and compliance officials’ responsibilities relating to the ‘…handling requirements for personal information collected through signals intelligence activities…’, to ensure that incidents of non-compliance are dealt with appropriately;
  • The requirement that elements of the US Intelligence Community amend and update policies and procedures to bring them in line with the new privacy and civil liberties safeguards set out in the EO;
  • The creation of a multi-layer redress mechanism providing individuals from ‘…qualifying states and regional economic integration organisations’ with the right to obtain an ‘…independent and binding review and redress…” where they believe that their personal information was collected or handled ‘…in violation of applicable US law, including enhanced safeguards in the EO’.
  • The ongoing support of the Privacy and Civil Liberties Oversight Board to review the policies and procedures adopted by the US Intelligence Community and ensure consistency with the EO. They will also be responsible for conducting ‘…an annual review of the redress process…’.

Whilst the potential for faster and cheaper transfers of data across the Atlantic has been welcomed by many businesses, some commentators have taken a less optimistic view, raising concerns that the EO does not go far enough to remedy the defects of its predecessors, the EU-US privacy shield and the Safe Harbour, invalidated by the CJEU in July 2020 and October 2015, respectively.

Foreseeable problems:

Max Schrems, the Austrian privacy campaigner who challenged the two previous transfer arrangements mentioned above, has suggested that there are a number of potential flaws with the EO and, in turn, the EU-US Data Privacy Framework. In particular, he notes that there has not been an agreement as to the legal meaning of the terms “necessary” and “proportionate”. Further, Schrems states that the Data Protection Review Court, designed to facilitate the multi-layer redress mechanism, is merely an upgraded ‘…version of the previous “ombudsperson” system, which was already rejected by the CJEU’. Therefore, this approach would not meet the requirements of Article 47 of the EU Charter of Fundamental Rights.

In addition to Schrems, the European Consumer Organisation, BCEU, have highlighted that significant discrepancies exist between the levels of data protection seen in the US and EU and that these are not remedied by the safeguards implemented by the EO. Thus, it is possible that a Schrems III, or similar challenge, will be brought during the first months of the new arrangement coming into force, if, indeed, it is approved.

The UK

Now that the UK has left the EU, it is able to make an adequacy decision regardless of the strategy adopted by the European Commission (EC). Although, it is important to note that divergent findings in this regard could have implications for any adequacy decision that the UK is seeking to receive from the EC.

Following the signing of the EO, the UK and US released a joint statement in which it was confirmed that progress had been made towards an adequacy decision by the UK and that the UK ‘…intends to work expediently to conclude its assessment”, suggesting that the flow of data may be restored in the coming months.

Next Steps

Whilst an adequacy decision is not guaranteed from either the EC or the UK, the wording of recent statements suggests that both jurisdictions see the EO as being a step in the right direction with an adequacy decision potentially being adopted as early as 2023. However, the proposals will have to successfully stand up to scrutiny in each jurisdiction prior to an adequacy decision being granted.

Conclusions

Regardless of whether you believe the EO goes far enough in protecting personal information, it is certainly welcome news for many businesses who will, subject to an adequacy decision, be able to resume transatlantic data transfers.

It is, however, important to ensure that until such a time as an adequacy decision is made, businesses continue to follow the current practices, utilising the IDTA/SCC and carry out a data transfer impact assessment where required to do so.

For further information in relation to your obligations under the UK GDPR or the Data Protection Act 2018, please contact Peter Kouwenberg or James Davey.