The Latest On The EU-US Data Transfers

The transfer of personal data between the European Union ("EU") and the United States ("US") has long been a topic of concern, which involves efforts to strike a balance between data flow facilitation and privacy protection. As part of these efforts, the European Commission voted in favor of the draft adequacy decision on the EU-US Data Privacy Framework ("Framework") in the voting which is held between 4 July 2023 and 6 July 2023. As a result, the US has been included among the countries that provide adequate protection with some requirements. However, it also raises concerns regarding the potential implications and effectiveness of the Framework.

In this article, we will explore the ongoing efforts to ensure the continued flow of personal data while safeguarding individuals' privacy.

What is the 'Adequacy Decision'?

Chapter 5 of the General Data Protection Regulation ("GDPR") specifies the provisions concerning the transfers of personal data to third countries or international organisations. According to Article 45 of the GDPR, the European Commission may determine a third country or an international organisation that ensures an adequate level of protection for personal data. For instance, a controller established in the EU may transfer personal data from the European Economic Area (EEA) to a third country as a result of an adequacy decision.

The adoption of an adequacy decision involves several steps including a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from the representatives of EU countries, and the adoption of the decision by the European Commission.

Apart from the adequacy decision for the US, the third countries that provide an adequate level of data protection are Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, the United Kingdom and the Republic of Korea.

In the absence of an adequacy decision, the transfer of personal data to a third country can occur with different mechanisms and with appropriate safeguards. Also, the data subjects must have enforceable rights and legal remedies available to them to rely on these mechanisms. These appropriate safeguards can be provided through various means, such as legally binding instruments between public authorities, binding corporate rules, standard data protection clauses adopted by the Commission, approved codes of conduct, or approved certification mechanisms. The most used method of all is signing the Standard Contractual Clauses (SCCs) approved by the European Commission.

In the absence of an adequacy decision or appropriate safeguards, the transfer of personal data to a third country must meet specific conditions such as obtaining explicit consent from the data subject.

Concerning data transfers between the EU and the US, the adequacy decision may enable free and secure flow to the companies that are certified by the US Department of Commerce under the Framework. US companies may have the opportunity to participate in the Framework by complying with a set of rules. These include obligations regarding purpose limitation, data retention, data security, and data sharing with third parties.

What is the Background of this Framework?

The EU and the US have historically had different approaches to data protection. The GDPR provides comprehensive privacy rights for individuals, whereas the US relies on a sectoral approach with various federal and state laws governing privacy. This discrepancy has raised concerns about the level of protection for the personal data of the people in the EU when such data transferred to the US.

The Safe Harbor framework allowed companies to transfer personal data to the US between 2000 and 2016. Max Schrems, an Austrian activist, filed a complaint regarding the transfer of personal data from Facebook Ireland Ltd. to Facebook Inc. The case was subsequently referred by the Irish High Court to the Court of Justice of the European Union ("CJEU"). The decision of the CJEU invalidated the Safe Harbor arrangement on 6 October 2015 and specified concerns regarding insufficient safeguards against surveillance activities conducted by US intelligence authorities.

Afterwards, the Privacy Shield mechanism had introduced as a replacement for the Safe Harbor agreement to facilitate the EU-US data transfers, with an adequacy decision by the European Commission on 12 July 2016. The Privacy Shield framework is also examined under the legal challenges and was declared invalid by the CJEU on 16 July 2020 due to concerns over US surveillance programs and the lack of enforceable rights. The CJEU stated that the level of protection provided by the US had not been meeting the standards guaranteed by the GDPR and the Charter of Fundamental Rights. The CJEU also highlighted that US surveillance laws were not limited to what was strictly necessary and would be considered disproportionate. Consequently, the companies subject to US surveillance laws could not rely on Standard Contractual Clauses, as they conflicted with the EU fundamental rights.

After the invalidation of the second data transfer framework and in response to the need for a stable and reliable method for the EU-US data transfers, the European Commission and the US announced that they agreed in principle on the Framework in March 2022. The Executive Order on 'Enhancing Safeguards for United States Signals Intelligence Activities' signed by US President Biden on 7 October 2022 includes commitments of the US.

The Executive Order introduced several key elements to enhance data protection in the US. It includes binding safeguards that restrict access to personal data by US intelligence authorities to what is necessary and proportionate for national security purposes. Additionally, it establishes the Data Protection Review Courts, which will investigate complaints from EU individuals. The US intelligence authorities will be required to review and update their policies and procedures to ensure compliance.

On 3 July 2023, the Office of the Director of National Intelligence ("ODNI") made an announcement stating that the US Intelligence Community will comply with the policies and procedures outlined in the Executive Order.

Subsequently, the European Commission conducted a vote on the Framework from 4 July 2023 to 6 July 2023 and considered the US as a third country with an adequacy decision.

What is the expected news for the EU-US Data Transfers?

It is possible that the Framework could be examined by the CJEU similarly to its previous decisions, depending on several factors such as the existence of ongoing surveillance in the US, different approaches on what constitutes proportionate, or the newly established courts not being effective.

It is crucial for organizations to stay informed about the latest developments and adapt their data transfer practices accordingly. Maintaining compliance with data protection regulations is essential not only to avoid legal risks but also to uphold the privacy rights of individuals in an increasingly digital world.