Biden paves way for EU-US Data Privacy Framework and UK-US adequacy agreement
Published on 18th Oct 2022
Is post-Schrems II legal certainty on the horizon for transatlantic data processing?
The Court of Justice of the EU’s (CJEU) Schrems II judgment from 16 July 2020 has led to considerable legal uncertainty concerning transfers of personal data from the EU and the UK to countries outside the EU, European Economic Area and the UK.
The judgment especially affected personal data transfers to the US since the CJEU declared the US adequacy decision at the time, the EU-US Privacy Shield, invalid. This meant that EU and UK businesses had to switch to an-other transfer mechanism such as the Standard Contractual Clauses (SCC), also known as "model clauses", when transferring personal data to the US.
'Model clauses' uses
Another consequence of the CJEU judgment concerns the use of the SCC: the contractual partners in the EU, UK and the US now need to determine appropriate contractual, technical or organisational measures to provide adequate safeguards for the respective international data transfer.
Additionally, clause 14 of the SCC requires a detailed analysis of aspects concerning the specific data transfer, but also of “the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards”.
Apart from prolonged commercial negotiations when implementing SCC, these obligations have added considerable cost for businesses when carrying out this specific analysis.
EU, UK and US action
What have governments in the EU, UK and US done to address these challenges? As a reaction to the CJEU judgment and the challenges for transatlantic business it presents, the European Commission and the US government worked together to address the requirements of the Schrems II judgment to have a different foundation for a new adequacy decision for the US. On 25 March 2022, they announced an in principle agreement upon the modalities for the adequacy decision: the now much-anticipated EU-US Data Privacy Framework.
Following these EU-US bilateral discussions, the US president, Joe Biden, signed on 7 October 2022 the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities to pave the way for the new adequacy decision. Based upon the next steps described in the European Commission questions and answers on the EU-US Data Privacy Framework, the adequacy decision could be adopted in spring 2023.
The UK's exit from the EU means that the UK is free to adopt its own UK-US adequacy decision, also in response to the CJEU judgment. Hence, the UK government has engaged in its own bilateral discussions with the US government to find an equivalent solution for UK-US data transfers under the (now separate) UK General Data Protection Regulation.
Following the announcement of the executive order, the UK and US issued a joint statement announcing the launch of their US-UK Comprehensive Dialogue on Technology and Data. In this statement, the UK government also welcomed the signing of the executive order as signalling a "significant step forward in our work on bilateral cross-border data flows". According to a recent UK government explanatory note, it intends to "work expediently" to review the enhanced safeguards with the aim of preparing a UK-US adequacy regulation in Parliament in early 2023, along-side guidance for organisations and individuals.
US navigates Schrems II
What measures will the US take to navigate the CJEU findings? As a reaction to the Schrems II judgment, the executive order:
- Introduces safeguards to ensure that signals surveillance activities are necessary to pursue defined national security objectives and do not disproportionately impact privacy rights and civil liberties.
- Creates a control mechanism enabling EU and UK individuals to seek a review if they believe their personal data was processed through US signals intelligence in a manner that violated applicable US law.
Osborne Clarke comment
Although the announcement is not an immediate fix for transatlantic data flows, we recommend businesses include information on the executive order in their transfer impact assessments for the US in order to comply with clause 14 (b) (ii) of the SCC.
The steps announced in the executive order try to address the shortcomings of the previous US adequacy decisions. It, however, remains uncertain whether the order will manage to provide sufficient changes by addressing the issues raised in the Schrems II judgment.
There has been some immediate criticism, for instance, from the Vienna-based organisation NOYB (The European Center for Digital Rights), pointing out that the US government interprets the term “proportionate” differently to the European law wording; therefore, the first measure does not sufficiently restrict bulk collection of signals intelligence. The second measure, the new control mechanism, is not comparable to a judicial redress required by European law.
It, therefore, seems likely that NOYB will raise another complaint before the CJEU against a future EU-US Data Privacy Framework (a "Schrems III") reliant on the safeguards provided for in the executive order. Businesses should therefore follow all further developments and wait for details on the specifics of the adequacy decisions.
Due to the scrutiny the adequacy decision will be subject to, EU and UK businesses may nevertheless want to prepare for an invalidation of the future adequacy decisions. While a Schrems III decision before the CJEU invalidating a future EU-US Data Privacy Framework would no longer be binding on the UK, it may well have an impact on the future of a UK-US adequacy decision (particularly if Schrems or another privacy activist were to raise a similar complaint before the UK courts).
As such, even if the adequacy decisions are approved next year, it would seem sensible for businesses to continue to enter into SCC (and/or the UK equivalent data transfer agreements) in addition to relying upon the future adequacy decision; this way, commercial negotiations would routinely include SCC and the effort of switching between these two mechanisms could be minimised.