Businesses that need to transfer personal data between the EU and US should not bank on the work being done to establish a new EU-US data privacy framework, experts in data protection law have said.
Andre Walter and Jonathan Kirsop of Pinsent Masons made the recommendation after the European Commission and White House jointly announced that a new transatlantic data privacy framework – already dubbed ‘EU-US Privacy Shield 2.0’ – had been agreed in principle.
Andre Walter
Legal Director
There is no time to wait for the new Privacy Shield 2.0 and hope it supersedes the need for SCCs
EU and US officials are seeking to develop a new framework to support the free flow of personal data between the EU and US following a ruling by the EU’s highest court in 2020.
The Court of Justice of the EU (CJEU) assessed claims that the US did not provide adequate protection to personal data transferred from the EU against intrusions resulting from the surveillance activities practised by US public authorities. It ruled that a previous data transfers framework, the EU-US Privacy Shield, was invalid and it further confirmed the due diligence exercise businesses must complete to satisfy themselves that their plans to transfer data to the US and any other ‘third’ country comply with EU data protection law.
The CJEU’s judgment in the so-called ‘Schrems II’ case means that organisations need to be aware of local laws in other jurisdictions to determine whether they contradict the protections that can be applied by contract, and act to apply supplementary measures to ensure the required level of protection, or prohibit, suspend or terminate data transfers in cases where that is not possible.
The European Commission and White House said the new transatlantic data privacy framework will “foster” EU-US data flows and “address the concerns raised” in the CJEU’s Schrems II decision.
The formal legal text of the framework has not yet been published, but the White House said that businesses that want to benefit from the new framework will have to adhere and self-certify to the Privacy Shield principles, which underpinned the EU-US Privacy Shield. Both it and the Commission were also keen to highlight “new safeguards” they said have been built into the framework.
According to the White House, US intelligence gathering activities will be limited to what is “necessary to advance legitimate national security objectives” and “must not disproportionately impact the protection of individual privacy and civil liberties”. The concepts of necessity and proportionality are common in EU law. It said US intelligence agencies will also “adopt procedures to ensure effective oversight of new privacy and civil liberties standards”.
There is an intention to provide data subjects in the EU with rights to seek redress in relation to the handling of their data by US authorities, including via “an independent Data Protection Review Court” which the White House said “would consist of individuals chosen from outside the US government who would have full authority to adjudicate claims and direct remedial measures as needed”.
Amsterdam-based Andre Walter of Pinsent Masons said: “While the announcement of a new transatlantic data privacy framework is welcome, it lacks the detail that businesses will be looking for to understand how the new framework addresses the concerns of the CJEU from its Schrems II decision.”
“One of the main issues identified by the CJEU in its Schrems II decision was the right to an effective remedy. An ombudsperson was appointed by the US to address complaints raised about US authorities' access to EU citizens' data under the Privacy Shield. It appears that a court will be involved under the new redress mechanism for the new framework. The question of judicial independence will be one of the most critical factors in whether the new framework survives a legal challenge, which looks set to follow,” he said.
“We do not yet know how the new commitments around oversight and redress will look in practice and there is also no indication of how long it might take for the framework to be finalised and then given legal effect. For businesses, there is also a timing issue in respect of compliance. They have a major contract remediation project to engage in in respect of data processing to transition to new standard contractual clauses the European Commission has developed before the end of the year. There is no time to wait for the new Privacy Shield 2.0 and hope it supersedes the need for SCCs,” he said.
Max Schrems, honorary chairman of noyb, a privacy campaign group, said: "The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”
"It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty,” he added.
Schrems led the legal challenges that brought down the EU-US Privacy Shield and the EU-US Safe Harbor scheme that pre-dated it.
Jonathan Kirsop
Partner, Head of Technology, Media, and Telecoms
Any breakthrough on an EU-US Privacy Shield 2.0 will greatly increase the likelihood of the UK and US reaching a separate agreement to facilitate the free flow of personal data from the UK to the US
London-based Jonathan Kirsop of Pinsent Masons said: “From a UK perspective, any breakthrough on an EU-US Privacy Shield 2.0 will greatly increase the likelihood of the UK and US reaching a separate agreement to facilitate the free flow of personal data from the UK to the US. Such an agreement is a priority of the UK government.”
The UK government is seeking to implement a series of new ‘adequacy’ decisions with other governments – including the US. Adequacy decisions recognise that other jurisdictions to which personal data may be transferred meet data protection standards essentially equivalent to those that apply in the jurisdiction from which the data is being exported.
The European Commission has issued a number of adequacy decisions that facilitate the free flow of personal data from the EU to other countries and territories. This includes the UK.
Kirsop said: “The UK government’s plans to reach adequacy decisions with other countries are potentially good news for boosting conditions for trade, but it must be careful that the decisions it reaches together with its plans to reform UK data protection law do not threaten the ‘adequacy’ status that it currently enjoys from an EU perspective given the extent of cross-border business operations between the EU and UK that still exists post-Brexit.”
In the UK, a new international data transfer agreement (IDTA) came into force on 21 March 2022. The IDTA is designed to govern the handling and safeguarding of personal data by those importing personal data from the UK and give exporters confidence that the data transfer arrangements are in line with the UK General Data Protection Regulation (UK GDPR).