Auteur

Debbie Heywood

Senior Counsel – Knowledge

Read More
Auteur

Debbie Heywood

Senior Counsel – Knowledge

Read More

13 avril 2022

May - Data sharing – 5 de 6 Publications

Privacy Shield 2.0 – third time lucky?

What's the issue?

Data transfers from the EU and UK to the USA have been problematic for years now as we've ridden the rollercoaster of transfer solutions and their successful challenges in the courts.  A replacement to the Privacy Shield has long been promised by the EU and US, but where does that leave the UK?  While it has prioritised an adequacy agreement with the US, it needs to be careful not to risk its own adequacy agreement with the EU. 

Other transfer mechanisms exist of course, notably EC Standard Contractual Clauses and the UK International Data Transfer Agreement and Addendum, but these are far from easy to implement and are themselves under scrutiny.  There can be no doubt that clarity on the issue of data transfers to the US is needed.

What's the development?

The EC and US government have announced agreement "in principle" of a new Trans-Atlantic Data Privacy Framework (TADPF) to facilitate frictionless data flows between the EU and USA. Full details have not been released but in its press release, the White House said the USA had made "unprecedented commitments" to:

  • strengthen privacy and civil liberties safeguards governing US signals intelligence activities
  • establish a new redress mechanism with independent and binding authority
  • enhance its existing rigorous and layered oversight of signals intelligence activities.

It goes on to say that the Framework ensures:

  • signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed
  • US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

The scheme will operate as before, on a self-certification basis signalling that an organisation complies with a set of Principles.

What does this mean for you?

The announcement has been greeted with enthusiasm by organisations and privacy professionals. Privacy campaigners including Max Schrems and NOYB, have, however, been more cautious (to put it mildly). They warn that "we expect this to be back at the Court within months from (sic) a final decision".  

This is based on the expectation that the final text of the Privacy Shield will use GDPR-friendly language (such as 'redress' and 'proportionality') but will not be underpinned by any substantial changes in US surveillance laws, although it seems likely some amendments to US law will be made by Executive Order including the establishment of a Data Protection Review Court. A recent US Supreme Court decision (FBI v Fagaza), reinforced the rights of surveillance authorities to access personal data so it remains to be seen whether a meaningful redress system will be set up for EU citizens concerned about access to their data.

A final version of the TADPF is not expected for the next few months, after which it will go through an approval process, so it is unlikely to be in place until the end of 2022 at the earliest. The EDPB has already signalled a cautious approach, saying it is waiting for full details and setting out the areas for scrutiny. Assuming it is adopted, it should at least hold for a year or two, even if there is an ensuing legal challenge. The European Commission and the US, not to mention businesses, will be hoping it fares better than that and provides a lasting solution where Safe Harbor and the Privacy Shield failed.

But what about UK-US transfers? 

The proposed TADPF will not apply to transfers from the UK to the US so what does this agreement mean for the UK?  The UK government has prioritised reaching an adequacy agreement with the US although so far there have been no concrete developments.  One of the concerns about this was that any UK-US agreement might jeopardise the EU-UK adequacy agreement. If, however, the EC has recognised the US as providing adequate protection for EU data under particular conditions, any move towards US adequacy by the UK will become much less risky.

Does this mean the UK will seek to emulate the Commission's approach by giving a partial adequacy decision, recognising protections as adequate where they meet certain requirements or where the US importers are signed up to Privacy Shield 2.0 principles?  Any steps by the UK to give the US an unqualified adequacy decision could still prove unpalatable to the EU.

Alternatively, will the UK take a similar approach to the one taken in relation to transfers under standard contractual clauses?  The UK introduced its own International Data Transfer Agreement to replace the old SCCs, but also provided for use of an Addendum to the EC SCCs, making it easy for UK businesses transferring personal data to third countries from the UK and the EU, to 'bolt on' to them. The most recent indications are that the UK government may well formalise a UK-US adequacy arrangement before the end of 2022 and quite possibly before the EU-US replacement for Privacy Shield is formalised. Significantly, it is also likely that the UK government will publish its proposals to reform UK data protection law soon which will probably include changes to the international data transfer legal framework. In any event, the signs are positive that new solutions to the problems around data transfers to the US from the UK and EU are coming.  How robust they turn out to be remains to be seen. 

Dans cette série

Technologies de l'information

EU Commission's final proposal for the new Data Act published

Stephanie Richter and Gabriel Drewek look at the draft Data Act which is intended to unlock industrial data, clarifying who can create value from data and under what conditions.

28 February 2022

par Stephanie Richter, LL.M. (Torino), CIPP/E, Gabriel Danyeli, LL.M. (Köln/Istanbul Bilgi)

Protection des données et cybersécurité

Forced to share – is breaking up data monopolies the key to unlocking digital competition?

Debbie Heywood and Alex Walton look at EU and UK proposals to tackle the big data advantage of the major digital players.

1 May 2022

par Debbie Heywood

Protection des données et cybersécurité

Incoming EU data and digital legislation

There's a lot going on in the data and digital space in terms of incoming EU legislation. Here is a summary of key proposals which will impact the use of data (personal and non-personal) and likely timelines, as at 10 May 2022.

17 May 2022

par Victoria Hordern, Christopher Jeffery

Protection des données et cybersécurité

Pensions dashboards and data sharing

Anna Taylor and Jo Joyce look at the data sharing requirements for the proposed pensions dashboard and resulting data protection considerations.

17 May 2022

par Anna Taylor, Jo Joyce

Technologie, Médias et Communications (TMC)

Privacy Shield 2.0 – third time lucky?

Debbie Heywood looks at the recently announced draft Trans-Atlantic Data Privacy Framework to facilitate frictionless EU-US data flows – what does this mean for the UK?

13 April 2022

par Debbie Heywood

Protection des données et cybersécurité

The ICO's views on data sharing

Miles Harmsworth looks at the ICO's Code of Practice on data sharing.

1 May 2022

par Miles Harmsworth

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

Technologie, Médias et Communications (TMC)

Data and cyber security - 2023 roundup

11 décembre 2023

par Debbie Heywood

Cliquer ici pour en savoir plus
Technologie, Médias et Communications (TMC)

Radar - 2023 roundup

11 décembre 2023

par Debbie Heywood

Cliquer ici pour en savoir plus
Technologie, Médias et Communications (TMC)

ICO publishes final guidance on data protection and monitoring workers

Can employers monitor their workers, how and to what extent?

23 octobre 2023

par Debbie Heywood

Cliquer ici pour en savoir plus