With transatlantic data flows under scrutiny since court rulings in both Schrems I and Schrems II resulting in the invalidation of previous data transfer frameworks, organisations have been seeking to ensure that US data transfers can continue to flow lawfully. Post ‘Schrems’, Standard Contractual Clauses (SCCs) have been the transfer mechanism of choice for many organisations, with the EU Commission releasing updated SCCs to assist data controllers and processors in ensuring that appropriate supplementary measures are in place to address risks associated with restricted transfers of personal data.
While SCCs have remained a valid transfer mechanism, there has been some debate as to whether SCCs can meet the EU standard ‘essential equivalence’ test by ensuring the effective protection of individuals’ fundamental rights. Even when underpinned by thorough Transfer Impact Assessments (TIAs) and the identification of supplemental control measures, it has been argued that this test cannot be met where jurisdictions such as the USA are concerned, due in particular to the risk of intelligence agencies accessing personal data.
This has set the scene for the recent signing by President Biden of the long-awaited Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (the EO), directing the steps necessary to implement the US commitments under a new EU–US Data Privacy Framework.
In this article, we will explore the purpose of the EO, what developments data controllers can expect next and any recommended actions.
What does the EO aim to achieve?
The issuing of the EO is the result of negotiations between the European Commission (EC) and the US Government. EC negotiators had been seeking to address concerns raised by the Court of Justice of the EU (CJEU) in the Schrems II judgment, such as the risk of US intelligence agencies accessing personal data of EU citizens and the absence of an effective remedy for data subjects. The EO introduces safeguards to address these concerns, including limitations on US national security authorities’ access to data and the creation of a new redress mechanism for data subjects.
Will the USA receive an adequacy decision?
There are steps that still need to be taken for the new framework to be fully implemented, including the need for the US Department of Commerce to release principles against which companies must self-certify. A self-certification scheme was also in place for Privacy Shield; however, the new principles will be more closely aligned to the GDPR, such as the definition of personal data. Once this is in place, it will be possible for a determination on adequacy to be made by the European Commission.
Were a positive adequacy decision to be issued, the framework may then be relied on as a valid data transfer mechanism. The steps involved in reaching an adequacy decision involve the EU Commission drafting an adequacy determination and putting that determination before the EDPB which will then issue a non-binding opinion. EU Member States must then vote whether to approve the decision, with the College of Commissioners having the decisive step of formally adopting it. This process may take up to six months from the point of the EU Commission issuing its draft determination.
As we have learned, the real determination as to the adequacy or otherwise of this new Framework may in time be made by the European Courts, with Noyb (Max Schrems’ non-profit aimed at promoting public awareness of data protection rights) already indicating that it does not believe the new framework will satisfy EU law.
What should organisations do now?
As of now, the new EU–US Data Privacy Framework is not yet established, and so SCCs remain a valid transfer mechanism subject to appropriate supplementary safeguards being in place. Many organisations will already have undertaken a plan of work to revise existing SCCs with the new model clauses ahead of the December 27th, 2022 deadline. Consideration should be given to how the new EO may impact TIAs concerning existing data transfers facilitated by SCCs, as its direction may have an immediate impact on the risk of intelligence agencies accessing data and so TIAs may be updated accordingly. Beyond this, organisations should monitor further developments with respect to the implementation of the EU–US Data Privacy Framework, including the publication by the US Department of Commerce of the principles to which US companies will need to self-certify. Further, the adequacy decision process will progress in the coming months and organisations should look to the EDPB’s non-binding opinion as an indicator of the likelihood of its formal adoption.
In the meantime, these latest developments will give some cause for cautious optimism that there will be a new framework in place to facilitate the free flow of personal data across the Atlantic. Whether it will stand the test of time, or indeed any potential test before the European courts, will remain to be seen.
Trilateral’s Data Protection and Cyber-Risk Team has extensive experience helping our clients manage their data protection compliance programs, including assessing restricted transfer implications. Contact our advisors today to discuss how we can assist your organisation on its compliance journey.