Radar - January 2023 – 1 / 3 观点
Since the CJEU's decision in the Schrems II case struck down the EU-US Privacy Shield, additional transfer mechanisms have been needed for transfers of personal data to the US from the EU and the UK. The European Commission and the UK government have been working towards replacement agreements and President Biden published an Executive Order in October which paved the way for a new EU-US, and a UK-US adequacy decision.
The European Commission published a draft adequacy decision for the EU-US Data Privacy Framework (DPF) in December 2022, following President Biden's Executive Order. The decision could be adopted as early as March 2023 although it is thought July is more likely. The draft decision is with the EDPB which must deliver an Opinion, following which it must be approved by a representative Committee of the Member States and then adopted by the Commission. The European Parliament also has a right of scrutiny.
US organisations will be able to join the DPF by committing to a series of privacy obligations. The US commits to limiting the access to EU data by intelligence agencies to what is necessary and proportionate, and there is provision for an independent and impartial redress mechanism, including through a Data Protection Review Court.
The safeguards provided under the DPF will also be an indication of compliance with the Schrems II criteria for the purposes of other authorised transfer mechanisms. Read more about the contents of the draft decision and the differences between the DPF and the previous Privacy Shield here.
Where does that leave UK organisations which transfer personal data to the US? The UK government published an Explanatory Note in October highlighting the progress made by the UK and US in working towards an adequacy arrangement (or "data bridge for US-UK data flows"), largely as a result of President Biden's Executive Order. The Note planned for the laying of regulations in Parliament in early 2023 and there is no reason to expect a delay. If anything, it's conceivable the UK adequacy arrangement's passage to legislation may be more straightforward than the EU's.
The content of the UK adequacy decision may differ from the EU's. While points of difference are unlikely to be material from a compliance perspective, it's possible that the terms of the decision may be more permissive or subject to less frequent review. The first independent adequacy decision concluded by the UK in favour of South Korea, covered a slightly wider range of data than the EU equivalent.
Another issue, both for the EU and the UK, is whether US adequacy decisions will stand up in court. Will there be a Schrems III case in the EU? It seems highly likely that Max Schrems will challenge the EU decision through the courts. While the European Commission is confident that the US has now done enough to address, the CJEU's concerns, Schrems, among others, has voiced scepticism. In particular, he has questioned the standing of the proposed Data Protection Review Court, and whether there is any meaningful change to the scope of surveillance permitted, saying: "I can't see how this would survive a challenge before the Court of Justice". It is also possible that any UK adequacy agreement would also face a legal challenge. The Schrems II decision currently applies in the UK although that could change in the process of a legal challenge if the Retained EU Law Bill passes in its current form.
It's worth remembering that any legal challenge will take time so US adequacy decisions are likely to hold up for at least a few years and hopefully much longer. As such, signing up to the DPF or a UK equivalent, is likely to hold significant appeal, not least because it will mean there is no need to conduct a Transfer Impact Assessment, and the Schrems II criteria will be deemed satisfied in relation to transfers taking place under the DPF. Businesses contemplating signing up to the DPF should begin their compliance preparations now in order to be able to take earliest advantage.