An agreement between the EU and U.S. on data transfers has ended three years of uncertainty. Joseph Fitzgibbon, Senior Associate in our Media and Technology team, breaks down the new framework and discusses its implication on data transfers in the future.

Transatlantic data flow from United Kingdom and the European Union to the U.S. underpins more than $7 trillion in cross-border trade and investment annually.Both the European Union and United Kingdom, however, apply restrictions on how personal data is processed when transferred outside of the European Economic Area (EEA). These restrictions include extra safeguards to ensure that personal data is processed in a manner equivalent to the protections under the GDPR. There are alternatives to putting in place these safeguards, for example, when countries have taken adequate precautions to ensure data is protected, which has been recognised by the EU – known as adequacy decisions. Where a country has adequacy approval then personal data can flow from the EU (as well as Norway, Liechtenstein and Iceland) to a third country without additional safeguarding, similarly to data being processed by countries within the EU.

Data Transfer Framework (DTF)

On July 10, 2023, the European Union recognised the adequacy of transfers to the United States where the transfers are made to commercial organisations participating within the Data Transfer Framework. The new deal permits companies to freely transfer data between the EU and U.S, ending a three years of legal uncertainty. The DTF has been put in place as an alternative to the EU-US Privacy Shield agreement which was overturned in the Schrems II case by the European Court of Justice.

Background

In 2020, the Court of Justice struck down the Privacy Shield agreement, halting the transfer of data between the EU and U.S. under this mechanism. The two key reasons for the courts decision were:

  1. The U.S. legal system did not provide adequate protection to data subjects against electronic surveillance or signals intelligence activities carried out by the U.S. Federal Authorities.
  2. The data subjects affected by these activities did not have a right of redress which was "essentially equivalent" to the right to an effective remedy before an independent and impartial tribunal, as is guaranteed under the GDPR.

The Court held that the Privacy Shield agreement was an unreliable mechanism on the basis that limitations on the protection of personal data under U.S. law were too restricting. Additionally, it was held that the U.S. law enforcement authorities had disproportionate access to personal data from individuals based within the EEA and that the Privacy Shield did not provide a remedy to give those based in the EEA actionable rights against U.S. authorities within U.S. courts. The Court of Justice concluded that the protections afforded by the Privacy Shield were not consistent to protections under GDPR and national data protection laws across EEA countries.

Attempts to address the issues recognised by the Court of Justice included an Executive Order that was made by President Joe Biden in October 2022. This order saw the creation of enhanced safeguards for U.S. Signals Intelligence Activities and the establishment of the Data Protection Review Court (DPRC), which will independently investigate and resolve qualifying complaints by European's regarding access to their personal data by U.S. national security authorities.

EU Reaction

Additionally, the DTF was also required to be approved by the European Union to complete the process and adopt the adequacy decision. Although there was a lot of criticism from MEP's over concerns such as mass surveillance and bulk collection of data, this issue was resolved following further improvements to the framework and the approval was eventually granted.

How will the framework work in practice?

Companies can self-certify their compliance with the framework and subsequently be featured within the 'Data Privacy Framework List', which will be monitored in order to receive and process personal data from those based in the EEA. The U.S. Department of Commerce encourages companies to take advantage of an economic opportunity for U.S. businesses small and medium-sized organisations to access an affordable and streamlined mechanism for personal data transfers from the EEA. Those who have not self-certified or who are not featured on the list are not subject to the adequacy decision and are still required to have suitable safeguards such as Standard Contractual Clauses in accordance with GDPR.

The first review of the Adequacy Decision is scheduled to take place one year after it enters into force to ensure that all elements are being implemented effectively and subsequent reviews of the adequacy decisions will take place every four years at minimum.

UK – U.S. Data Transfer Framework

In 2021 the UK exported more than £79 million of data-enabled services to the US. Following a commitment made between U.S. President Joe Biden and UK Prime Minister Rishi Sunak this year, the two countries will have their own version of the Data Transfer Framework, but it will be based on the DTF. However, this is yet to come into force as there is an obligation within the UK to have a consultation with the Information Commissioner's Office before initiating any process which recognises that a country has adequate data protections. This means that UK based organisations cannot currently rely on adequacy.

Looking forward

Despite the continued developments to create these 'data-bridges', the European Centre for Digital Rights (also known as NOYB) which was founded by the applicant of the Schrems II case, has announced its plans to proceed with a third case raising issues with the DTF and its compliance with the GDPR. NOYB has stated that it is expecting to be back in the European Court of Justice next year to attempt to prevent the framework from coming into force. The U.S. Commerce Department has announced that only 2,500 companies have signed up for the framework as opposed to 5,000 previously that had registered for the Privacy Shield. Many businesses have stated that they will wait until they are sure the framework will be successful without the need for additional safeguards before signing up. In the short-term data transfers to the U.S. may have got a little easier, however, those looking to the longer-term might not want to throw out their SCC's yet.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.