This blog post was first published by Law360 on May 9, 2022.
On 25 March 2022, the European Commission and United States announced an agreement in principle on a new Trans-Atlantic Data Privacy Framework.1 If passed into law, the framework will facilitate the transfer of personal data between the EU and participating US companies, easing the burden on companies conducting transatlantic investigations and leaving the UK to play catch-up. However, the EU will be wary of this agreement falling prey to the same legal challenges that invalidated previous EU-US data transfer arrangements.
Transferring Personal Data to Third Countries
The European General Data Protection Regulation (“GDPR”) and the post-Brexit version of the GDPR retained by the UK (“UK GDPR”) restrict the transfer of personal data to third countries unless an exception applies to the transfer.
The most straightforward exception is an ‘adequacy decision’ (known in the UK as an adequacy regulation).2 An adequacy decision is a determination that the legal framework in the third country has been assessed as providing sufficiently robust protection to personal data, essentially equivalent to the protection afforded by the EU. If an adequacy decision is in place, no further authorisation is required for a transfer of personal data to a third country.
In the absence of an adequacy decision, entities transferring personal data to third countries must ensure the transfer is subject to ‘appropriate safeguards’. The safeguard most commonly relied upon is the use of ‘standard contractual clauses’ drafted by the EU Commission and signed by the parties to the transfer.3 Entities relying on these agreements must also undertake a Transfer Impact Assessment, a complex endeavour through which the transferring entity must undertake its own assessment of the level of protection provided in the destination country.
Alternatively, transferring entities may seek to rely on specific derogations, such as obtaining consent from the data subjects or identifying the transfer as “necessary for the establishment, exercise or defence of legal claims”.4
For companies and their advisors engaged in transatlantic investigations, these alternatives are potentially complex and provide less legal certainty to the transferring entity. Such companies also face greater risks that data subjects will seek legal remedies in respect of transfers that do not meet the strict criteria of the regulations, especially in circumstances where their data is subsequently accessed by US surveillance or law enforcement agencies.
US Surveillance Laws Derail Previous Agreements
Previous attempts to establish an adequacy framework between the EU and US have been beset by legal challenges. The Safe Harbor Framework, established in 2000, under which transfers of personal data could be made from the EU to US companies that had signed up to the Safe Harbour privacy principles, was declared invalid by the European Court of Justice (ECJ) ruling in Schrems v Data Protection Commissioner (“Schrems”).5 The central issue identified in Schrems was that the US failed adequately to protect personal data from interference by US national surveillance authorities.
The Safe Harbor Framework was replaced in 2016 by the EU-US Privacy Shield. However, in July 2020, the ECJ declared the Privacy Shield to be invalid in its ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). Again, the ECJ highlighted shortcomings in the protection from interference with personal data in US national security laws, specifically noting that the rights of data subjects were not actionable before the courts.
Accordingly, there is currently no EU-US or UK-US adequacy decision. This means that entities conducting transatlantic investigations, which necessarily entail the transfer of personal data to the US, must assume the burden of making their own assessment of the extent to which that data is protected, thus increasing the risk of data subjects seeking legal remedies against the data controller and / or data processor. In the context of investigations, this could give rise to a claim against the company that is the subject of the investigation, or any entity assisting with the investigation.
A Fresh Attempt
The proposed Trans-Atlantic Data Privacy Framework will seek to address concerns raised in Schrems II about the level of protection provided to data subjects in the US. The US has pledged to put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate, and to establish a two-level independent redress mechanism with binding authority.
In common with the Safe Harbor and Privacy Shield schemes, the proposed framework will only amount to a partial adequacy decision, restricted to transfers made to participating US companies. This will limit the real-world applicability of the framework because US companies that do not anticipate receiving data from the EU on a regular basis will be unlikely to seek certification under the new regime. If an EU company that is the subject of an investigation wishes to transfer data to a US firm assisting the company with the investigation, the EU company will only be able to rely on an adequacy framework if the recipient US firm is certified under the regime. Transfers to non-participating companies, and to government bodies, will need to continue to rely on standard contractual clauses and an assessment of the level of protection offered by the receiving entity.
There is no guarantee that the agreement in principle will translate into a ratified partial adequacy decision. EU lawmakers will be conscious of the pitfalls that befell the previous two regimes and of the risk that the proposed deal will be derailed by ‘Schrems III’ or other legal challenges. The EU will need to be satisfied that any proposal provides adequate protection against US surveillance laws, particularly to ensure that data subjects are able to seek legal remedies when their data is accessed by a third party.
UK to Prioritise Equivalent Agreement
In August 2021, as part of its post-Brexit trade plans, the UK government announced that it would pursue “multi-billion” pound global data adequacy partnerships with six priority territories: the USA, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia.6
The UK Government has previously expressed disappointment at the ruling in Schrems II and will be keen to capitalise on its freedom to make its own adequacy regulations following its departure from the EU. Equally, the UK will not want the EU to gain a competitive trade advantage in the event the proposed EU-US framework is passed into law. This could ease the data privacy burden on entities carrying out investigations with both UK and US aspects. However, any adequacy regulation in favour of the US will likely remain partial, only permitting data transfers to participating companies.
1 Statement available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087
2 See Article 45, GDPR
3 In the UK, the use of EU Standard Contractual Clauses is being phased out and replaced by an International Data Transfer Agreement (IDTA) and an International Data Transfer Addendum.
4 See Articles 46 and 49, GDPR
5 (Case C-362/14) EU:C:2015:627