A key aspect of UK and EU data protection law is that transfers of personal data to third countries are not permitted unless: there is a finding of adequacy in respect of that country, appropriate safeguards are in place, such as use of standard clauses, or a derogation applies such as obtaining consent. This has created difficulties for transfers of personal data from the EU (and post-Brexit, the UK) to the USA, particularly since the invalidation of first the Safe Harbour mechanism and more recently the Privacy Shield following the Schrems challenges.
President Biden has now signed an executive order (order) on Enhancing Safeguards for United States Signals Intelligence Activities. This order implements the commitments under the EU-U.S. Data Privacy Framework (framework) which was announced in March 2022.
This new framework will replace the Privacy Shield. It is designed to address the key weaknesses of the Privacy Shield – notably that it did not adequately protect individuals’ data from widescale collection and use by government agencies and did not provide enforceable remedies for EU citizens.
What happens next?
The European Commission (EC) must complete an adequacy assessment and issue an adequacy decision. The assessment will determine whether the US meets data protection standards for the transfer of personal data equivalent to those of the EU. It is clearly hoped that the framework is rigorous enough to allow the EC to issue the sought-after adequacy decision, which is expected in spring 2023.
How will this affect UK businesses?
As any new adequacy assessment by the EC will be between the EU and US – not the UK - it will not be applicable to transfer from the UK to the US. However, the UK and US have made significant progress towards finalising their own UK-US data adequacy agreement. It has been said that the UK government is expecting to present regulations for this framework in early 2023, however, before this can happen the Information Commissioner’s Office (ICO) will be consulted for an opinion on the proposed regulations.
Meanwhile therefore, UK (and indeed EU) businesses will have to continue using existing mechanisms to transfer personal data, which often involves the use of rather cumbersome EU standard model clauses and/or the UK’s international data transfer agreements and addendums, as well as conducting transfer impact assessments.
There have been indications that Max Schrems (initiator of the previous challenges) and fellow activists will continue to fight the framework and any adequacy decision. However, the EC believes the CJEU would not strike down the framework as they believe the safeguards in the order provide a “durable and reliable legal process for transatlantic data flows”.