Data transfers - the new EU-U.S. data privacy framework
A new EU-U.S. transatlantic data flow agreement is expected to be finalized by the spring of 2023. The EU-U.S. Data Privacy Framework will enable the flow of personal data from ‘data exporters’ in the EU to ‘data importers’ in the U.S. who have signed up to the agreement. The Framework offers a flexible alternative to the European Commission’s Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), which multinationals with a presence inside and out of the EU must otherwise use to share personal data (absent some small exceptions).
The European GDPR prohibits the transfer of personal data to ‘third countries’ that do not guarantee an adequate level of data protection. ‘Third countries’ are countries outside the European Economic Area. The European Commission declared a small number of third countries, such as Switzerland, Canada and Argentina as guaranteeing an adequate level of data protection. Such an adequacy finding means personal data may be freely transferred from EU Member States to the adequate third country. However, the transfer of personal data to third countries which have not been granted an adequacy finding (such as the U.S.) is prohibited, unless appropriate safeguards have been implemented. Currently, the main appropriate safeguards are SCCs and BCRs, which may be onerous to implement or expensive and time consuming, respectively.
More flexible data transfers were available in the form of the Privacy Shield and the Safe Harbor scheme, which were invalidated following the Schrems II and Schrems I decisions in 2020 and 2015 respectively. Multinationals will welcome the EU-U.S. Data Privacy Framework, which offers a business-friendly alternative to facilitate transatlantic data sharing.
In October 2022, U.S. President Biden signed an executive order, which mandates legal safeguards over U.S. security agencies’ use of EU citizens’ personal data. This is a critical and long-awaited next step in the progress of the EU-U.S. Data Privacy Framework.
The following step will be for the European Commission to make an adequacy finding, which could take as long as six months. If and when it does take effect, the Framework would operate as a replacement for the Privacy Shield.
However, Max Schrems, founder of privacy non-profit NOYB, already expressed reservations regarding the level of protection guaranteed by the EU-U.S. Data Privacy Framework and a third challenge seems inevitable. If Schrems’ third challenge repeats his earlier successes, multinational businesses’ access to a flexible EU-U.S. data transfer solution may be short-lived. Only time will tell, as this plays out over the course of 2023.
UK/EU divergence – The data protection and digital information bill
In the Queen’s Speech of May 2022, the British government announced its intention to reform U.K. data protection law. The government previously expressed its desire to take advantage of Brexit to realize the apparently conflicting aims of creating a more business-friendly data regime that promotes growth and innovation, while continuing to protect individuals’ privacy rights.
The draft Data Protection and Digital Information Bill was published in July 2022, in an effort to realize the government’s intentions. Notwithstanding the government’s ambitious claims, the Bill amounted to little more than an evolution of the existing U.K. GDPR, rather than a radical overhaul. However, the changes the Bill would have introduced regarding international data transfers potentially threatened the U.K. adequacy decision the European Commission made in June 2021. The adequacy decision enables the free flow of personal data between the EU and the U.K. following Brexit. However, the European Commission may withdraw the decision if the U.K. data protection regime diverges too far from European data protection standards. Such a withdrawal would mean that organizations in EU Member States would be prohibited from sharing personal data with the U.K., which would be costly and disruptive for multinational businesses with a presence in the U.K. and the EU.
The draft Data Protection and Digital Information Bill looks set to make further progress, following the announcement at the International Association of Privacy Professionals (IAPP) Congress 2022 in Brussels in November by DCMS deputy director Owen Rowland that the latest consultation on the Bill will commence shortly.
The need for reform is questionable; while the U.K. GDPR may not be perfect, it is fit for purpose in striking a reasonable balance between protecting individuals’ rights and businesses’ interests. The British government may dismiss the GDPR as overly unfriendly to business goals for data use. However, it seeks to give individuals choice and control over how their personal data is used and imposes heavy penalties on organizations that fail to abide by the rules. If the U.K. government pushes ahead with its proposed reform, resulting in a U.K. data protection regime that fails to meet European standards, leading to a revocation of the U.K.’s adequacy finding, companies will face a much-increased burden to enter into an appropriate data transfer solution, as well as carry out a transfer risk assessment, for transfers from the EU to the U.K. The inevitable costs to businesses are likely to absorb at least some of the purported savings (or increased revenues from new data uses) the new legislation would make. Whether the British government will press ahead with its proposed reform remains to be seen, so the best advice to multinational businesses is to watch this space.
The European Commission’s adequacy determination concerning the EU-U.S. Data Privacy Framework is expected imminently; whether or not it survives the almost inevitable Schrems III challenge remains to be seen. Meanwhile, U.K. businesses that trade internationally may well be hoping that the government sees sense and leaves well enough alone, rather than risking the U.K.’s adequacy decision and the free-flow of data with Europe.
For the full 2023 Top 10 Trends in Risk and Compliance eBook: