So, it’s been two years since the Court of Justice of the European Union (CJEU) invalidated the US Privacy Shield. Since then, companies transferring personal data to the US have needed to use Standard Contractual Clauses in their contracts to ensure data is safeguarded under the GDPR.
In this article we explore how businesses may be able to benefit from the new framework, what the next steps in the process are, and how this may also impact UK businesses.
In the meantime, businesses must still carry out Transfer Impact Assessments, and use SCCs as the transfer mechanism in their commercial contracts. Our data protection solicitors can act swiftly to help with these time consuming and resource heavy tasks.
The EU-US Data Privacy Framework
The United States President, Joe Biden recently signed an Executive Order on Enhancing Safeguards for United Signals Intelligence Activities. This is now providing a fix in dealing with the issues raised in Schrems II. The Executive Order provides; safeguards that limit access to data by US intelligence to what is necessary and proportionate to protect national security and the establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court (DPRC); to investigate and resolve complaints regarding access to their data by US national security authorities.
According to the official White House announcement, the Executive Order:
- Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
- Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
- Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O.
- Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.
- Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence and the Data Protection Review Court
What does the executive order do?
The Executive Order, together with the accompanying Regulations), establishes a two-layer redress mechanism, with independent and binding authority.
Under the first layer, EU citizens will be able to lodge a complaint with the Civil Liberties Protection Officer (CLPO) of the US intelligence community. This officer would be responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights.
Under the second layer, EU citizens will be able to appeal the decision of the CLPO before the Data Protection Review Court (DPRC). The Court will consist of members chosen from outside the US Government who would categorically not be able to receive instructions from the US government. The Data Protection Review Court will have powers to investigate complaints, obtain relevant information from intelligence agencies, and take binding remedial decisions.
What’s next in the process?
Now, the European Commission will begin to prepare a draft adequacy decision based on the Executive Order. This draft along with the EXECUTIVE ORDER and Attorney General's Regulations, will be subject to review by the European Data Protection Board (EDPB). They will then begin to assess and provide an opinion whether the Framework would provide a satisfactory level of data protection for EU citizens.
It’s important to note that whilst the EDPB assessment isn’t binding, it will clearly carry some considerable weight. Should the decision be adopted by the European Commission, there can then be a free flow of data between the EU and US companies that adhere to complying with privacy obligations and certified by the Department of US Commerce. This whole process is likely to complete by March 2023, and until then companies are advised to consider the current transfer mechanisms available and in conjunction with the Schrems II judgement.
What about the UK?
Simultaneously to the Executive Order being published, the UK Government published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy. The UK welcomed the release of the Executive Order, and intends to work expediently to conclude its assessment, with the aim of issuing an adequacy decision that will restore a stable and reliable mechanism for UK-US data flows. The US intends to work to designate the UK as a qualifying state under the Executive Order, assuming the conditions for such designation can be satisfied, which would enable UK individuals who submit qualifying complaints to access the redress mechanism established under the Executive Order.
Despite having positive observations from the UK Government and the European Commission; the latter believing the issues in Schrems ii having been addressed; we have yet to hear from Max Schrems, whether this is indeed in his view a sticky tape quick fix that will or will not stand up to scrutiny from the CJEU.
The UK Government is now working expediently to complete its adequacy assessment process for the UK-US Data Privacy Framework.
In turn, the European Commission is also now commencing its adequacy approval process.
One thing that companies can agree on is that the risk-based approach to assessing transfer is long and intricate. Naturally this UK-US Data Privacy Framework would mean that exporters no longer need to carry out Transfer Risk Assessments (TRAs) and use International Data Transfer Agreements (IDTAs), or Standard Contractual Clauses (SCCs) for transfers to certified US importers.
Welcoming news for companies is that the Executive Order has immediate effect, so companies can begin to consider the undertakings contained therein when carrying out TRAs for transfers to the US. However, with Max Schrems already issuing his first thoughts on the Executive Order, there may even be a Schrems III on the horizon pretty soon – who knows? Let’s all take heed and wait!
With the previous Safe Harbor and Privacy Shield in being invalidated, companies may feel more comfortable in continuing to use the UK IDTA, or UK Addendum and International TRA and tool for transfers to the US.
It’s also important to note that the US hasn’t actually designated the UK, or the EU as of yet, as qualifying territories under the redress mechanism.
It’s a good idea for companies to begin to conduct a gap analysis between their own practices and the Privacy Shield 2.0 to assess compliance and then see how it fares after challenge.