The rules around transferring personal data from the European Union to the United States changed in July 2020. We have now had almost two years with the new arrangements in place; however, not all businesses were aware of the changes or the issues it can create when sharing information internationally.
In this blog we look at the impact of the decision by the Court of Justice of the European Union on 16 July 2020 which confirmed that the EU-US Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
We also look at the recent announcements made in March and October 2022 by the European Commission and the United States about the new Trans-Atlantic Data Privacy Framework which is aimed at replacing the old Privacy Shield system and enabling personal data to travel from the EU to the US again and the steps the UK have been taking to extend this to cover the UK as well post-Brexit.
The EU rules on transferring personal data
The General Data Protection Regulation (GDPR) governs the processing of personal data within the EU. The UK enshrined the GDPR in UK law in the Data Protection Act 2018.
The GDPR sets out a series of standards that organisations must follow when processing personal data. They apply to personal data passed within countries within the EU.
Under the GDPR, the transfer of personal data from an EU to a non-EU country is unlawful unless:
- the country is exempt because they have equivalent privacy standards and an adequacy decision in place;
- there are appropriate safeguards in place and data subjects have enforceable rights and effective legal remedies; or
- there is a derogation for the specific situation (such as explicit consent given by the data subject).
What constitutes “appropriate safeguards” under the GDPR?
The nature of “appropriate safeguards”, the second of the three options listed above, depends on who is transferring the data and why.
Group companies based around the globe will often rely on binding corporate rules to enable their business to transfer data internally without inadvertently breaching the GDPR requirements. However, this only helps businesses where the two organisations sharing personal data are not connected, they can both adopt standard contractual clauses (SCC’s) to show their compliance.
These SCC’s are standard clauses approved by the EU which replicate the EU privacy standards. When relying on these clauses to send personal data outside the EU, the organisation transferring the data is also expected to carry out due diligence to satisfy themselves that the data would be treated properly in both the organisation and the country it is transferred to.
For organisations transferring personal data to the US, until July 2020 the EU-US Privacy Shield Programme became the easiest and simplest way to show that the receiving organisation complied with the GDPR and met the threshold of “appropriate safeguards”.
However, the Schrems II case in 2020 shone a spotlight on this whole area of GDPR compliance and changed the way organisations had to operate when passing personal data to the US.
What was the EU-US Privacy Shield?
The EU-US Privacy Shield was put together by the US Department of Commerce and the European Commission. It was a way for organisations in the US to show they met privacy standards which were equivalent to those in the GDPR and therefore confirm there were appropriate safeguards in place to enable data to be shared from the EU.
It came into force before the GDPR and replaced its predecessor, the Safe Harbour Agreement, which had been held to be invalid in a court case in 2015 – interestingly brought by the very same person who brought the case that was heard in 2020.
To receive certification under the EU-US Privacy Shield, an organisation had to show they met a set of privacy compliance standards with their internal practices and procedures. They could then self-certify to the US Department of Commerce who would confirm that they met the requirements. The US Department of Commerce was also supposed to enforce the standards.
The aim of the EU-US Privacy Shield was to enable organisations to pass data between the EU and the US whilst still meeting the strict requirements in the GDPR to protect the integrity of the personal data held by organisations. In 2020 when this case was heard and the law completely changed, approximately 5,000 companies were subscribed to it and relying on it for processing personal data.
The European Commission deemed the system “adequate” on the 12 July 2016 in what is known as the adequacy determination. A similar arrangement was reached between the Swiss Government and the US in 2017.
Why was the EU-US Privacy Shield so important?
The EU has always been clear – if data travels overseas then the EU standards of data protection must travel with it.
The EU-US Privacy Shield gave organisations transferring personal data to the US a clear way to make sure they could protect that personal data and show that these requirements had been met. By registering with the system and meeting the requirements set out by the US Department of Commerce they could show they met the EU’s strict requirements and proceed with their business as usual.
It has not only benefited group companies situated across the world but it also permeates supply chains around the globe and organisations who do business across the Atlantic.
What happened in the Schrems II case on 16 July 2020?
The Schrems II case dealt with a complaint by a privacy activist, Maximillian Schrems, against Facebook Ireland regarding the transfer of his personal data from Ireland to the US. The case was actually focused on the validity of the SCC’s in place but having held that the SCC’s were valid, as an aside the European Court went further and scrutinised the EU-US Privacy Shield.
It looked in detail at the US laws which authorise public authorities to access personal data transferred from the EU to the US and found that these laws weren’t compatible with the EU privacy laws, i.e. the GDPR. It also found that the Privacy Shield standards weren’t actually “equivalent” to those in the GDPR at all.
It criticised the fact that an effective independent ombudsman had not been established in the US. It found that there was no effective administrative or judicial redress for EU individuals if their personal data was not correctly handled within the US territory.
The final nail in the coffin for the EU-US Privacy Shield was that within the US legal and judicial system, the interests of national security, public interest and law enforcement take priority over fundamental privacy rights which means privacy rights can be overridden. The European Court were very concerned about the effect this had on the security of personal data within the US.
Taking all these factors into account, it reversed the adequacy decision and held the EU-US Privacy Shield to be invalid.
As a result, organisations could no longer rely on their subscription to the EU-US Privacy Shield programme to demonstrate they met the requirements of the GDPR when sending personal data to the US.
The case also went further and the Court made clear that even when relying on SCC’s, organisations must now pay much more attention to whether or not the country the personal data is being sent to is a safe place for that personal data. The European Court reiterated the responsibility of the organisation transferring the data out of the EU to carry out sufficient due diligence. This will need to be done for both the country that the data is being sent to as well as the receiving organisation to make sure that the terms of any agreed SCC’s can actually be met and the data that is being transferred is safe. For example, organisations now need to consider the rights of public authorities to access data and the availability of judicial redress for individuals in the country before transferring that data. If the transferring organisation cannot be satisfied that this is the case it will need to seriously consider whether it is appropriate to continue to send data to that country or organisation or whether additional safeguards are needed first.
Was this decision unexpected?
Not entirely. There had been increasing concerns over the adequacy of Privacy Shield since 2016 and those erring on the side of caution had always preferred to use SCC’s instead to protect the transfer of data between the EU and the US.
As mentioned above, the predecessor to the EU-US Privacy Shield, the Safe Harbour Agreement, was brought down by the very same privacy activist in a case several years before. Whilst the new Privacy Shield arrangements addressed the specific concerns with the Safe Harbour Agreement and arguably went further than its predecessor, there had always been concerns that it did not go far enough and the general practices in the US did not fully align with the aims and objectives of the EU when it comes to protecting personal data.
What were the consequences of the Schrems II decision for businesses?
The EU-US Privacy Shield system still existed and organisations signed up to it had to still comply to keep their certification. However, it no longer met the requirements under the GDPR for organisations in the EU sending data to the US.
The ICO issued updated guidance and committed to keeping the situation under review but the Schrems II case didn’t leave any satisfactory way of passing personal data to the US whilst still complying with the data protection rules in the UK and the EU.
The consensus seemed to have been that where a country was not exempt under the GDPR, such as the US, that SCC’s were the way forward for sending personal data outside the EU subject to the new enhanced due diligence set out by the European Court. However, this caused a problem for the US as the security issues highlighted in the Schrems II case meant that it was going to be very hard to meet the SCC requirements as well. The control the US Government has over access to information in the public interest overrode any other safeguards businesses could put in place and was a key security risk in the eyes of the EU and the courts.
Many businesses stopped sending personal information to the US as a result and reviewed their arrangements. Other businesses continued to send personal data but hoped that the ICO would not enforce any breaches until action was taken to address the issue this case caused for transfers to the US.
There was no easy solution for businesses who wanted to do business with the US and send personal data to them.
The recent joint statement by the European Commission and the United States on a Trans-Atlantic Data Privacy Framework
There is now, however, light at the end of the tunnel. On 25 March 2022 the European Commission and the US issued a joint statement confirming that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. This Framework is intended to replace the old Privacy Shield system and its aim is to allow personal data to once again flow across the Atlantic and address the concerns raised by the EU in the Schrems II decision 2 years ago. The full announcement can be found on the European Commission website.
As part of this Framework, the US is committing to implement reforms to strengthen the civil and personal protections available to individuals and prevent the intelligence activities of the US having such an impact on the flow of personal data. There will be key safeguards in place to limit the surveillance activities the US can carry out which the EU have agreed would bring them within the scope of the GDPR again. The Executive Order setting out these steps under the EU-US framework was signed by US President Biden on 7 October 2022.
It is a tremendously significant step forward for businesses who wish to trade with the US and have been prevented from doing so due to data protection concerns.
Whilst as a result of Brexit the UK is not a party to this agreement, the UK has also been engaged in its own discussions with the US Secretary of Commerce and on 7 October 2022 they confirmed that significant progress had been made towards a new adequacy agreement between the two countries. It is hoped that the Executive Order relating to the EU-US arrangements will also benefit the UK and enable the UK to expedite an adequacy decision for the US as well. We await the further developments with eager anticipation.
If your organisation is affected by this decision or considering entering into arrangements which would involve sending personal employee data to the US and you would like to discuss your options further, please contact Charlotte Farrell or Tabytha Cunningham for further assistance and they would be happy to help.
