Since the most recent mechanism to ensure "safe" data transfers between the European Union and the United States was revoked, businesses on both sides of the Atlantic had hoped that a feasible alternative would come into effect swiftly to provide the same level of legal certainty.
Thankfully, momentum is accumulating toward a new standard.
The Court of Justice of the European Union's (CJEU) judgement in July 2020 to invalidate the Privacy Shield increased the danger of corporations breaking the EU's General Data Protection Regulation (GDPR) when moving data between the two regions. For concerns of national security, U.S. surveillance regulations provide extensive access to the personal data of EU individuals.
As a result of the decision, standard contractual clauses (SCCs) and binding corporate regulations (BCRs) became preferred alternatives for facilitating transatlantic data flows. Yet, neither system provides the Privacy Shield's protection, therefore businesses have considered a new deal between the European Union and the United States as essential.
In March 2022, there was a glimmer of hope when the two regions struck a preliminary agreement on a new data transfer framework. Under the framework, the United States must implement safeguards to guarantee that surveillance actions conducted by U.S. intelligence services are "necessary and proportionate" to achieving predetermined national security goals.
It must also strengthen oversight of intelligence activities to ensure compliance with limitations on surveillance activities, and establish a two-tiered independent redress mechanism, along with corrective measures, so EU citizens can file complaints about how U.S. intelligence services may be using their data and have the opportunity to appeal any decision.
In October, U.S. President Joe Biden signed an executive order explaining how the government intends to carry out its obligations under the framework. In response, the European Commission released its draft adequacy decision in December, which is currently undergoing the adoption process. This requires the opinion of the European Data Protection Board (EDPB), the European Parliament, and and sign-off from representatives on a committee composed of EU member states.
The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs stated in its draft opinion on February 14 that it does not believe the commission should extend an adequacy decision to the United States because the framework does not yet provide an equivalent level of data protection as the European Union. The EDPB took a similar position on February 28, requesting the European Commission to clarify certain areas of the framework and proposing the adoption of reviews on elements such as enforcement and redress.
The consequences of these opinions are yet to be determined.
If a decision is reached, European companies would continue to be able to transfer data freely to the United States, while U.S. companies would be able to join the framework by committing to comply with an as-yet-unspecified set of privacy obligations and obtaining certification through the U.S. Department of Commerce.
The European Commission, European Union data protection authorities, and U.S. authorities would perform periodic reviews of the framework's operation. Within one year of the adequacy decision, the United States' implementation of the necessary safeguarding measures would be evaluated.
Experts in data have largely welcomed the development.
Once the framework is ratified, according to Andrew Northage, a partner in the regulatory and compliance team at law firm Walker Morris, it will "provide businesses with a much simpler and more predictable mechanism for the transatlantic transfer of personal data."
" SCCs and BCRs “typically increased the cost and administrative burden of GDPR compliance by requiring transfer impact assessments to be completed before transfers could take place (if at all) and introduced considerable uncertainty."
Northage added, "If the framework is adopted, U.K. companies can expect this to act as a catalyst for agreement on a U.K./U.S. data transfer framework —if movement hasn’t already happened by then."
Legal experts are also optimistic that the safeguards agreed to by the United States can address the concerns that prompted the CJEU to pull the plug on the Privacy Shield; however, privacy campaigner Max Schrems, who was responsible for the demise of the Privacy Shield and its predecessor, Safe Harbor, is unlikely to be appeased.
Thus, some observers anticipate that the data transfer framework will face more legal obstacles.
Such a possibility, according to James Castro-Edwards, privacy, cybersecurity, and data strategy counsel at the law firm Arnold and Porter, "leaves companies with the dilemma of whether or not to invest resources in certifying to a [framework] that risks being invalidated in a Schrems III decision or continuing with the SCCs."
Sarah Pearce, a partner at the law firm Hunton Andrews Kurth, stated, "People have somewhat lost patience with the issue, and organizations are looking for legal certainty and reassurance that they can rely on the decision once confirmed."
"If the new adequacy decision were to be struck down again by the CJEU, organizations may lose faith in the feasibility of a successful EU-U.S. data transfer framework and turn to SCCs as their sole and permanent solution to legitimize data transfers to the United States."
Pearce advised businesses to assess their international data flows, particularly those from outside the United Kingdom/European Union to the United States, and review their current international data transfer mechanisms in order to prepare for this scenario. This encompasses both intragroup and intergroup transfers (such as to vendors).
She stated that organizations should strengthen or implement data transfer methods as necessary to comply with U.K./EU data transfer restrictions.
Northage also feels that until the data privacy framework is deemed "bulletproof" from a legal standpoint, some businesses may prefer to remain as they have been.
"Despite the framework presenting as a more straightforward alternative to the other available transfer mechanisms, companies may prefer to hedge their bets and make sure they have back-up plans in place should the framework be successfully challenged and invalidated," he said.
By fLEXI tEAM