Ann-Maree Blake, Partner
Last Friday, the EU and US announced they have reached an agreement in principle regarding cross-border data transfers. The Trans-Atlantic Data Transfer Framework (the Framework) has been welcomed by businesses, especially those in the tech sector, who have been left in limbo regarding data sharing between the two territories following the invalidation of the so-called Privacy Shield in July 2020.
At Friday’s joint press conference with President Joe Biden, European Commission President Ursula von der Leyen said:
“We have found an agreement in principle on a new framework for trans-Atlantic data flows.
“This will enable predictable, trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
The background to the EU, US data transfer agreement
In 2013, Austrian privacy lawyer and activist, Max Schrems lodged a complaint with the Irish Data Protection Commissioner on the grounds that Edward Snowden’s revelations demonstrated that US law did not offer sufficient protection against the surveillance of personal data by US public authorities. Mr Schrems targeted Facebook in his complaint but of course, many other companies transfer data from the EU to the US and would therefore be affected by any decision.
The European Court of Justice (ECJ) ruled in 2015 that the Safe Harbour Agreement which permitted the personal data of EU citizens to be transferred to the US was invalid and did not adequately protect EU citizens.
Following the ECJ’s decision, companies in the EU relied on Standard Contractual Clauses (SCCs) to move data across the Atlantic whilst the EU and the US negotiated the Privacy Shield framework to replace the Safe Harbour Agreement. In July 2020, the ECJ in a judgment referred to as Schrems II found that the Privacy Shield framework no longer provided adequate safeguards for the transfer of personal data between the territories.
Schrems II also made clear that a tick-box exercise of putting an SCC in place was not good enough, instead, the risks associated with a particular data transfer had to be suitably assessed (more on this below). Since Schrems II multinational and technology companies, who are often transferring enormous data sets, have faced enormous challenges and expenses in ensuring the equivalent level of protection to the strict European data laws is in place when moving personal data across the Atlantic.
President Joe Biden welcomed the new Framework addressing the difficulties faced by businesses conducting cross-border data transfers, stating:
“This framework underscores our shared commitment to privacy, to data protection, and to the rule of law [and will] help facilitate $7.1 trillion in economic relationships with the EU.”
Details of the Trans-Atlantic Data Transfer Framework
The White House has released a factsheet on the Trans-Atlantic Data Transfer Framework. The main points include:
- The Framework will re-establish an important legal mechanism for transfers of EU personal data to the US.
- The US has committed to implementing safeguards to ensure that any intelligence activities are proportionate and necessary to national security.
- New independent redress mechanisms for EU citizens who believe their personal data has been unlawfully targeted by US signal intelligence activities are to be established. Part of the redress system will include an independent Data Protection Review Court that will comprise of people chosen from outside the US Government who will have full authority to adjudicate claims and direct remedial measures as necessary.
- US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
The factsheet confirms:
“Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.”
What does the agreement in principle to adopt the Trans-Atlantic Data Transfer Framework mean for the UK?
Following the end of the Brexit transition period, the UK was granted an ‘adequacy’ decision by the EU. This means that the EU has concluded that the UK provides an equivalent level of protection for personal data to the one guaranteed under EU law. Data transfers to the UK from the EU and vice versa, therefore, require no additional safeguards.
At present, Schrems II continues to apply in the UK. As such, if you are transferring data to any country that has not been granted adequacy, you must conduct a transfer risk assessment in relation to the country receiving the data and if any weaknesses are revealed, supplementary measures to those contained in an SCC must be implemented.
Regarding SCCs, the UK’s new international data transfer mechanisms: the International Data Transfer Agreement (IDTA), essentially the UK equivalent of the SCC, and Addendum to the EU Standard Contractual Clauses (UK Addendum) came into effect on 21 March 2022. From this date, if you are transferring personal data from the UK to a country which has not been granted adequacy, you will need to use either the EU SCC plus the UK Addendum or the IDTA.
Finally, the UK has previously announced that it is proactively looking at expanding its list of ‘adequate’ nations and an agreement with the US is top of the agenda.
“The aim is to move quickly and creatively to develop global partnerships which will make it easier for UK organisations to exchange data with important markets and fast-growing economies. These new partnerships will build on the existing 42 adequacy arrangements the UK has in place with countries around the world”
The Trans-Atlantic Data Transfer Framework will be welcome news for the UK government and the business community as it provides an agreement model that will allow the UK to grant adequacy to the US without jeopardising its own adequacy concerning EU/UK data transfers.
We will continue to keep you updated on all data protection developments, including the UK’s reaction to the Framework.
To find out how we can advise you on all matters relating to GDPR and data protection law, please contact Ann-Maree Blake (email@example.com), Partner in our Corporate/Commercial Team who specialises in Data Protection & Privacy.
Please note – this article does not constitute legal advice.