President Biden has signed an executive order introducing new safeguards that seek to address the concerns raised by the European Court of Justice in the Schrems II decision on transfers of personal data to the US. The UK and European Commission will now commence the next stages of their adequacy assessment processes. In this update we look at what this means for organisations that transfer personal data to the US.
Background
In July 2020, the European Court of Justice issued its decision in Schrems II, declaring that the US privacy shield framework was not lawful under EU data protection law, as it did not provide appropriate safeguards to, or remedies for, EU data subjects under US surveillance laws. While the ECJ also held that the EU Standard Contractual Clauses (SCCs) are, in principle, valid under EU law, this is subject to data subjects having enforceable rights and effective remedies in the destination territory. This requires data exporters to carry out transfer risk assessments (TRAs) to assess the laws in the destination territory and consider whether supplementary measures are necessary to bolster the SCCs with additional technical, contractual or organisational measures.
Following Schrems II, the EU has introduced new SCCs. The UK, having now left the EU, has adopted a new transfer tool, the International Data Transfer Agreement (IDTA), together with accompanying guidance (which is still in draft, some six months after the IDTA came into force). While the draft UK guidance takes a risk-based approach to assessing whether a transfer can be made, the process is time-consuming and complex.
Neither the new SCCs nor the IDTA can address all the criticisms of US law in Schrems II, in particular in relation to the powers of US surveillance organisations to carry out bulk surveillance and the limited rights of redress under US law. This has made it difficult for UK and EU data exporters to conduct a successful TRA where data importers, such as SaaS service providers and other technology businesses, are subject to those surveillance laws.
A replacement for Privacy Shield would avoid the need for data exporters to carry out TRAs and use IDTAs/SCCs for transfers to certified US importers. The European Commission and UK governments have therefore been in discussions with the US government on a replacement scheme that addresses the shortfalls of Privacy Shield.
Why has the executive order been made?
The executive order implements into US law a number of commitments made in an agreement in principle made between the EU and the US in March 2022. The executive order is also accompanied by a number of regulations made by the US Attorney General. The executive order includes new binding safeguards to limit access to data by surveillance agencies to information that is necessary and proportionate to protect national security and a new two-tier independent redress mechanism to investigate and resolve complaints.
While the controls on access to data by surveillance agencies apply to all data, the redress mechanism will only apply to data received from countries and territories designated by under the executive order. It is the US’s intention that both the UK and EU will be designated.
As with Privacy Shield, US organisations seeking to rely upon the new data privacy framework will need to be certified by the US Department of Commerce.
When will the UK and EU approve the new US data privacy framework?
The executive order has been welcomed by both the UK government and the European Commission. In particular, the European Commission has stated in a Q&A that it believes that the safeguards in the executive order address the ECJ’s criticisms in Schrems II.
The UK government has said that it will ‘work expediently’ and look to complete ‘in weeks ahead’ its adequacy assessment process for the US data privacy framework.
The European Commission has said it is now commencing its adequacy approval process. This involves publication of a draft adequacy decision and consultation with the EDPB and member states, which is likely to take around six months.
Privacy activist Max Schrems has already issued a critique of the executive order, questioning whether the US and EU are aligned on what is meant by the terms ‘necessary’ and ‘proportionate’ and whether the redress mechanism is sufficiently effective. While a challenge to the lawfulness of the new framework under EU feels almost inevitable, it will be for the courts to decide whether the improvements that are being introduced are sufficient.
What should I be doing in the meantime?
Approval of the US data privacy framework will take some time under both UK and EU law. However, the executive order has immediate effect. Organisations may therefore wish to consider in the meantime the undertakings given in the executive order when carrying out TRAs for transfers to the US. The new safeguards may help to mitigate some of the potential transfer risks by limiting the circumstances in which surveillance agencies may access data and the extent of such access.
Organisations seeking to do so should, however, remember that while the binding safeguards on access to data are immediately effective, the US has not yet designated the UK or EU as qualifying territories under the redress mechanism.
Notes
Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems CJEU C-311/18