What's the issue?
Data transfers from the EU and UK to the USA have been problematic for years now as we've ridden the rollercoaster of transfer solutions and their successful challenges in the courts. A replacement to the Privacy Shield has long been promised by the EU and US, but where does that leave the UK? While it has prioritised an adequacy agreement with the US, it needs to be careful not to risk its own adequacy agreement with the EU.
Other transfer mechanisms exist of course, notably EC Standard Contractual Clauses and the UK International Data Transfer Agreement and Addendum, but these are far from easy to implement and are themselves under scrutiny. There can be no doubt that clarity on the issue of data transfers to the US is needed.
What's the development?
The EC and US government have announced agreement "in principle" of a new Trans-Atlantic Data Privacy Framework (TADPF) to facilitate frictionless data flows between the EU and USA. Full details have not been released but in its press release, the White House said the USA had made "unprecedented commitments" to:
- strengthen privacy and civil liberties safeguards governing US signals intelligence activities
- establish a new redress mechanism with independent and binding authority
- enhance its existing rigorous and layered oversight of signals intelligence activities.
It goes on to say that the Framework ensures:
- signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties
- EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed
- US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
The scheme will operate as before, on a self-certification basis signalling that an organisation complies with a set of Principles.
What does this mean for you?
The announcement has been greeted with enthusiasm by organisations and privacy professionals. Privacy campaigners including Max Schrems and NOYB, have, however, been more cautious (to put it mildly). They warn that "we expect this to be back at the Court within months from (sic) a final decision".
This is based on the expectation that the final text of the Privacy Shield will use GDPR-friendly language (such as 'redress' and 'proportionality') but will not be underpinned by any substantial changes in US surveillance laws, although it seems likely some amendments to US law will be made by Executive Order including the establishment of a Data Protection Review Court. A recent US Supreme Court decision (FBI v Fagaza), reinforced the rights of surveillance authorities to access personal data so it remains to be seen whether a meaningful redress system will be set up for EU citizens concerned about access to their data.
A final version of the TADPF is not expected for the next few months, after which it will go through an approval process, so it is unlikely to be in place until the end of 2022 at the earliest. The EDPB has already signalled a cautious approach, saying it is waiting for full details and setting out the areas for scrutiny. Assuming it is adopted, it should at least hold for a year or two, even if there is an ensuing legal challenge. The European Commission and the US, not to mention businesses, will be hoping it fares better than that and provides a lasting solution where Safe Harbor and the Privacy Shield failed.
But what about UK-US transfers?
The proposed TADPF will not apply to transfers from the UK to the US so what does this agreement mean for the UK? The UK government has prioritised reaching an adequacy agreement with the US although so far there have been no concrete developments. One of the concerns about this was that any UK-US agreement might jeopardise the EU-UK adequacy agreement. If, however, the EC has recognised the US as providing adequate protection for EU data under particular conditions, any move towards US adequacy by the UK will become much less risky.
Does this mean the UK will seek to emulate the Commission's approach by giving a partial adequacy decision, recognising protections as adequate where they meet certain requirements or where the US importers are signed up to Privacy Shield 2.0 principles? Any steps by the UK to give the US an unqualified adequacy decision could still prove unpalatable to the EU.
Alternatively, will the UK take a similar approach to the one taken in relation to transfers under standard contractual clauses? The UK introduced its own International Data Transfer Agreement to replace the old SCCs, but also provided for use of an Addendum to the EC SCCs, making it easy for UK businesses transferring personal data to third countries from the UK and the EU, to 'bolt on' to them. The most recent indications are that the UK government may well formalise a UK-US adequacy arrangement before the end of 2022 and quite possibly before the EU-US replacement for Privacy Shield is formalised. Significantly, it is also likely that the UK government will publish its proposals to reform UK data protection law soon which will probably include changes to the international data transfer legal framework. In any event, the signs are positive that new solutions to the problems around data transfers to the US from the UK and EU are coming. How robust they turn out to be remains to be seen.
