The next EU-US data transfer regime
Neil HodgeWednesday 23 August 2023
The EU and US have agreed a new Data Privacy Framework to facilitate bilateral data transfers. In-House Perspective assesses whether the new framework will withstand legal scrutiny and how companies can prepare for a still uncertain future.
In an increasingly data-driven economy, it’s vital that data can be transferred across borders both freely and compliantly. Yet this has proved difficult for data flows between the US and Europe – the world’s most powerful economic blocs – due to concerns that the level of data protection in the US is lower than the threshold expected in the EU, home to the world’s most stringent – and punitive – privacy legislation, the General Data Protection Regulation (GDPR).
Previous attempts to ensure that data transfers to the US enjoy the same level of data protection as expected in the EU failed, primarily due to the US government’s willingness to allow its intelligence services to access personal data. The ‘Safe Harbor’ regime was ruled invalid by the Court of Justice of the European Union (CJEU) in 2015 and its 2016 successor, the Privacy Shield, lasted just four years until it, too, was declared invalid by the CJEU. Since July 2020 EU and US companies have had to rely largely on creating their own safeguards to ensure their data transfers are legally compliant.
A new day, a new framework
But now the European Commission has championed a new mechanism. In mid-July the Commission gave the EU-US Data Privacy Framework (DPF) an adequacy decision, which means as far as it’s concerned, the US now offers a similar level of data protection to the EU under the GDPR. In its press notice, the Commission assured businesses that ‘personal data can flow safely from the EU to US companies participating in the Framework without having to put in place additional data protection safeguards’.
US companies will be able to join the DPF by committing to comply with a detailed set of privacy obligations – for instance, the requirement to delete personal data when it’s no longer necessary for the purpose collected for, and to ensure continuity of protection when personal data is shared with third parties.
Commentators suggest there’s no serious compliance work needed to use the new mechanism. For companies already registered under the Privacy Shield, very little effort is required to take advantage of the DPF regime as the requirements are broadly the same as before.
For other organisations, the process of self-certifying under the DPF is also relatively straightforward. One of the benefits is that there’s no longer a requirement for a data controller to undertake a Transfer Impact Assessment (TIA) to determine whether there’s any risk involved in sending data between the EU and US, whereas for those companies relying on standard contractual clauses (SCCs) or binding corporate rules (BCRs) – two other methods of staying legally compliant while transferring data – a TIA is still necessary.
The functioning of the DPF will be subject to periodic reviews by the European Commission, EU data protection regulators and competent US authorities. The first review will take place within a year of the entry into force of the adequacy decision and is primarily intended to confirm that the US is delivering on its end of the deal and that the requirements to ensure data adequacy and redress have been implemented in the US legal framework and are functioning effectively.
Data deja vu
There are concerns however that this latest effort will be killed off as surely as its predecessors. Max Schrems, the privacy campaigner who successfully derailed both the Safe Harbor regime and the Privacy Shield, has already said that the new framework isn’t that different from its predecessors and doesn’t, in his view, come close to meeting the requirements laid out by the CJEU. Chiefly, he says, neither US law nor the EU’s approach to data protection have changed much, and EU citizens will not have the same rights as US citizens under the country’s surveillance laws. He has suggested a legal challenge could be mounted.
Nonetheless, others believe the new framework agreement answers the concerns raised by the CJEU and will work – at least in the short term. However, they caution that it remains for the CJEU to decide in any future legal challenge whether the DPF provides proper data adequacy, and not the European Commission.
Roland Mathys, Vice-Chair of the IBA Technology Law Committee and Head of the Technology, Data and Cyber Law practice at law firm Schellenberg Wittmer in Zurich, says the new framework addresses the primary concerns of both the CJEU and campaigners such as Schrems regarding the proportionality of US authorities’ access to personal data and the lack of effective mechanisms for EU citizens to challenge any surveillance carried out by them. It does this, he says, by amending the US legal framework for intelligence activities and introducing data access limitations on US authorities so they can only see what’s ‘necessary and proportionate’ to protect national security.
It also creates a free-of-charge redress and arbitration mechanism for EU individuals via a newly established Data Protection Review Court, a three-judge panel that has the power to order the deletion of any data that it finds was collected in violation of the framework’s safeguards. These changes are primarily based on Executive Order 14086, signed into law by US President Joe Biden in October 2022.
Mathys says EU data protection authorities and the legal community have generally had a positive reaction towards the framework, with the European Data Protection Board (EDPB) –the EU’s overarching privacy regulator – noting that the US attempt to placate European privacy concerns to comply with the GDPR is a significant improvement on the deficits identified by the CJEU in the Schrems II judgment, which invalidated the Privacy Shield regime. However, Mathys adds that ‘it remains to be seen if it may satisfy the concerns of the CJEU’, as well as privacy campaigners.
Adam Rose is Chair of the IBA Data Protection Governance and Privacy Subcommittee and a partner at Mishcon de Reya in London. To him, there’s a very real chance that the DPF will be struck down by the CJEU. ‘Even though the EU (and the UK) have said that the US is now an OK destination to transfer data securely, they also said that for the two previous schemes in place before the CJEU in its Schrems I and II judgments decided otherwise’, he says. ‘There must be a real risk that the Court will decide that the latest version also doesn’t work. There is no appetite in the EU or the US for changing either GDPR or US surveillance laws to make future data transfers work, and I don’t think that the UK will make any such changes to UK GDPR and risk its EU adequacy finding, either.’
Kristy Gouldsmith, a partner at Spencer West in London, also finds it ‘doubtful’ that the DPF will work. There are two key sticking points, she says. Firstly, the lack of a US federal law governing how organisations process personal data means there’s no country-wide equivalent of the GDPR, while secondly, efforts by individual US states to enact their own legislation means variances in data protection.
“Companies shouldn’t tear up their transfer safeguard agreements as they may need them in the future
Kristy Gouldsmith, Partner, Spencer West
‘The US Constitution does not guarantee privacy and there are no federal laws governing how organisations process personal data, which has led individual states enacting their own legislation’, says Gouldsmith. ‘In addition, for an agreement to be acceptable to the CJEU, the US would need to extend the same privacy protections to non-US citizens, a policy that may prove to be incredibly politically unpopular, with some saying that it would oppose the US federal security agencies protecting the country. For now, the DPF has opened for applications from US companies; however, those companies shouldn’t tear up their transfer safeguard agreements as they may need them in the future.’
If the CJEU does reject the DPF, Mathys isn’t sure about what further changes could be made to satisfy the Court. He believes the prospect of either the GDPR or US surveillance laws being changed in order to facilitate future data transfers between the European Economic Area (EEA) and the US are ‘unlikely in the short term’. The US, he says, ‘may not be eager to introduce yet more changes, in particular, in light of the worldwide security issues prevalent today’, while the EU ‘does not seem to have any appetite for making its data protection laws regarding data transfers less stringent’.
“With the introduction of the Data Privacy Framework, the state of legal uncertainty […] has now come to an end
Marc Hilber, Co-Chair, IBA Technology Law Committee
Marc Hilber, Co-Chair of the IBA Technology Law Committee and a partner at law firm Oppenhoff in Cologne, doesn’t expect any significant changes to the GDPR or US surveillance laws, at least as long as the DPF remains in force. ‘With the introduction of the DPF, the state of legal uncertainty, which has been difficult to bear for a large number of EU and US companies, has now come to an end. This also means that the pressure to find a solution is gone for now,’ he says. But Hilber adds that ‘should the CJEU also overturn the DPF […] more substantial changes to the legal framework would become more likely’.
Matthias Orthwein, Senior Vice-Chair of the IBA Technology Law Committee and a partner at SKW Schwarz in Munich, believes that in the US in the future, ‘we will see a strong movement and development of privacy state laws that will be close to the GDPR’s principles’. He doesn’t expect, however, that the US will have a federal privacy law anytime in the foreseeable future or that it will take any further substantial steps towards changing its surveillance laws.
Data transfers on the ground
If companies are exporting, or planning to export, personal data from the EEA to the US, Mathys says they should plan their response depending on whether they have already concluded SCCs or not. If the data exporter and the data importer have done so already, he recommends companies use both the SCCs as well as the new DPF as transfer safeguards, provided that the data importer in the US is able to get certified under the framework. If the US data importer cannot be certified, companies will need to rely on the SCCs anyway. ‘We would therefore not recommend terminating the SCCs before a final judgment following a legal challenge has been issued', he says.
However, even if the data exporter and data importer have not yet concluded SCCs, Mathys doesn’t see an issue with companies transferring data under the DPF provided that the data importer is able to get certified. At the same time, he says, companies using this safeguard mechanism should keep a close eye on legal developments before the courts – in particular, the CJEU – regarding the framework’s validity. ‘Companies have to be prepared to act quickly should the DPF once again be declared invalid by the CJEU’, he says.
Hilber also believes that ‘companies can reduce the risk of being blindsided by a legal challenge of the DPF by continuing to base their transfers to the US on SCCs or BCRs. The DPF also provides relief for these transfer tools because the legal framework created by the Executive Order makes extensive TIAs unnecessary in this case as well. As an alternative, it is possible to base data transfers primarily on the DPF, but to SCCs or implement BCRs as a back-up.’
But Rose says ‘companies are left in a really difficult place’. He reflects that the US is such an important player that companies have no option but to use US businesses and transfer data to the US. ‘All they can do is try their best, use the relevant transfer mechanisms that the EU (and UK) have put in place, make sure they are dealing with proper companies, and undertake a transfer impact assessment – but recognise that there is a risk’, he says, adding that he doesn’t believe that data regulators will take any steps against companies that follow those rules if it turns out that the current arrangements to transfer data are struck down by the courts.
Orthwein says that data protection authorities (DPAs) in Germany have publicly confirmed that they’ll respect the DPF as long as it’s in force. The general consensus among other commentators is that other EU DPAs are also expected to back it. As such, says Orthwein, EU and US companies can rely on this framework and make use of it as a solid legal basis for data transfer, especially since it’s unlikely that any legal challenges will be successful in the next two or three years. Still, Orthwein advises companies ‘not to discontinue the already taken additional measures to make sure that the rights and freedom of data subjects are safe when their personal data is transferred over the Atlantic’.
In particular, he says, those EU companies that rely on personal data as part of their long-term business models should strongly implement and to continue to use all additional guaranties and safeguards as advised before the DPF. ‘Nobody can actually exclude that Max Schrems will again be able to persuade the CJEU that the DPF is as insufficient as its predecessors’, explains Orthwein. ‘That is why companies can’t build a business model based upon the mandatory requirement that the DPF is and will always be in place and will be the only/utmost important legal basis for data transfer’, says Orthwein. ‘We advise them to keep all the technical and organisational measures up and running, such as encryption with own keys, restricted support access from the US and limiting the collection of telemetric and statistical data and so on’.
“Companies can’t build a business model based upon the mandatory requirement that the Data Privacy Framework is and will always be in place
Matthias Orthwein, Senior Vice-Chair, IBA Technology Law Committee
Robert Grosvenor, Managing Director at management consultancy Alvarez & Marsal in London, believes the DPF may not afford the level of protection or legal certainty that companies are looking for. ‘The DPF is still reliant upon self-certification and the ability of a US data importer to process data in accordance with GDPR remains the responsibility of the EU exporting data controller’, he says. ‘As such, EU companies may still require contractual measures in their data processing agreements based on or similar to SCCs in order to protect their own interests and responsibilities around the management of EU data’.
“EU companies may still require contractual measures in their data processing agreements based on or similar to standard contractual clauses
Robert Grosvenor, Managing Director, Alvarez & Marsal
However, Nigel Jones, co-founder of data privacy software vendor the Privacy Compliance Hub, believes it’s likely the DPF will be challenged, but ‘such a possibility shouldn’t change the behaviour of companies in the EU or the UK.’ He explains that ‘if EU companies already have in place SCCs for their existing transfers to the US together with such supplementary measures as they believe to be appropriate to protect personal information being transferred to the US, they need not do anything further. ‘If an EU company doesn’t have such a mechanism in place for an existing transfer to the US, then it should now check whether the US company is registered under the new framework and, if so, it will be fine’, he adds. ‘And if a company proposes a new transfer to the US, it should again check whether the importing US company is registered under the framework and, if it is, it doesn’t need to do anything further’.
Jones explains that, for UK companies for example, the adoption of the DPF doesn’t change anything for the moment. ‘However, once the UK and the US have agreed their so-called “data bridge” which is expected imminently, UK companies will also be able to safely transfer personal data to US companies registered under the framework’.
Going forward, says Jones, ‘relying on the DPF will be much easier than other appropriate safeguards and the possibility that it may be successfully challenged in the courts in a few years’ time shouldn’t deter EU companies from relying on it if they can’.
Ultimately, Orthwein believes that ‘it would be […] with a catastrophic effect to the EU economy if the CJEU would again reject the data transfer framework’, adding that EU companies need the security of a reliable framework they can build their digital transformation upon.