New EU-US Data Privacy Framework – third time lucky?

On 10 July 2023, the European Commission adopted a new adequacy decision for the EU-US Data Privacy Framework (“DPF”).  This follows the previous invalidation of the Safe Harbor and Privacy Shield schemes under the Schrems cases.

The DPF was made possible after President Biden signed an Executive Order in October 2022 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which addresses the concerns raised by the European Court of Justice (“ECJ”) in its Schrems II decision of July 2020. It provides for safeguards that limit access to data by US intelligence authorities to what is “necessary and proportionate” to protect national security and includes enhanced oversight by US intelligence services to ensure compliance with limitations on surveillance activities.

The decision finds that the US ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU to US companies that have self-certified under the new framework. On the basis of the new adequacy decision, personal data can be transferred from the EU to US companies that participate in the Framework, without the need for additional data protection safeguards such as standard contractual clauses (“SCCs”) and without the need to conduct a transfer impact assessment (“TIA”).

EU individuals will have access to redress if their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.

US companies can join the DPF by committing to comply with a detailed set of privacy obligations. This will include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as SCCs and binding corporate rules.

The Framework is administered and monitored by the US Department of Commerce. The US Federal Trade Commission will enforce US companies’ compliance.

What about the UK?

As a result of Brexit, the DPF only applies to personal data that is subject to EU GDPR and does not apply under UK GDPR. However, in June 2023, the UK and the US agreed to establish a UK Extension to the Data Privacy Framework, that will create a ‘data bridge’ between the two countries. Now that the DPF has been adopted, this should go live in the near future.

So, what happens next?

But will the new DPF survive any future challenge such as a possible Schrems III? Some have commented that the DPF is not materially different to the failed Privacy Shield. We think that a challenge is likely but shall have to wait and see.

But, at least for the time being, EU and US firms can take advantage of the DPF as a more straightforward transfer mechanism than implementing SCCs and without the need to conduct a TIA. For those that do, updates will be required to their privacy notices to reflect this. For organisations that continue to rely on SCCs, TIAs can take account of the beneficial impact of the changes to US surveillance laws.

Nigel Miller
nmiller@foxwilliams.com

As the deadline to replace old EU SCCs passes …

Arjun Majumdar
Arjun Majumdar
Tayler Sani
Tayler Sani

Companies subject to the EU GDPR and reliant on standard contractual clauses (“SCCs”) to transfer personal data out of the EEA are reminded that the regulatory deadline to update their existing agreements has now passed.

EU GDPR Requirements

To recap, on 4 June 2021, we saw the European Commission adopt new, modernised EU SCCs for the transfer of personal data from the EEA to third countries.

Organisations were afforded a transitional period, which required that they:

  • cease using the old SCCs in new contracts by 27 September 2021, and
  • transition all existing contracts over to the new EU SCCs by 27 December 2022.

This means that organisations should have now adopted the new EU SCCs in all existing contracts involving international transfers of personal data under the EU GDPR. If they have not already done so, they should prioritise doing so as soon as possible.

UK GDPR Requirements

As the UK is no longer part of the EU, the new EU SCCs are not a valid transfer mechanism under the UK GDPR. However, in March 2022, the UK ICO formally adopted:

  • the IDTA, a standalone agreement – similar to (but not the same as) the new EU SCCs – for international data transfers from the UK to third countries;
  • the UK Addendum, which can be appended to, and have the effect of modifying, the new EU SCCs so that they work for international data transfers from the UK to third countries.

These were discussed in further detail in our previous article “New UK International Data Transfer Agreement.”

In respect of data transfer arrangements subject to the UK GDPR, contracts entered into prior to 21 September 2022 can rely on old EU SCCs until March 2024 (provided there are no modifications to the data transfer operations under those contracts) but, from now, new contracts must incorporate either the IDTA or the new EU SCCS-plus-UK Addendum-combination.

In Other News

Following Schrems II, businesses – whether subject to the EU GDPR or UK GDPR – relying on SCCs for their data transfers to recipients in third countries are also required to undertake and document transfer risk assessments. SCCs alone are no longer sufficient. Whilst the European Data Protection Board (EDPB) already published recommendations on this topic in June 2021 (which can be accessed here) in respect of restricted transfers subject to the EU GDPR, the ICO only recently published updated guidance on transfer risk assessments in respect of restricted transfers made subject to the UK GDPR, which can be accessed here.

Together with its guidance, the ICO have also published a TRA tool which can be used to help businesses carry out their TRAs. It is worth noting that the ICO have given businesses the option of conducting their assessments in line with the EDPB recommendations: either option is acceptable to the ICO.

Risk Management in Law Firms

Partner and head of our technology and data protection group, Nigel Miller has written the data protection chapter in Global Law and Business’s recent publication Risk Management in Law Firms: Mitigate Risk and Enhance Firm Success.

The publication brings together lawyers, consultants and other risk and compliance professionals to provide expert and practical guidance on essential risk management topics. Chapters cover risks relating to clients, internal operations and law and regulation, and address recent developments including issues arising from the shift to hybrid working, the increased focus on ESG and climate change, and the extended influence of clients through outside counsel guidelines.

Nigel’s chapter on data protection is available to read here. The chapter sets out a high-level summary of applicable data protection laws, with a focus on areas that have specific application to law firms, and
provides some best practice points for risk management.

new Trans-Atlantic Data Privacy Framework

The European Data Protection Board has welcomed the announcement of a political agreement in principle between the European Commission and the United States of a new Trans-Atlantic Data Privacy Framework.

The proposed Trans-Atlantic Data Privacy Framework seeks to address the concerns which led to the Privacy Shield framework being found by the European Court to be invalid. The proposed new Framework will include:
  • Safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.
  • A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
  • Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
  • Specific monitoring and review mechanisms.
When implemented, the Framework will provide a legal basis for personal data flows from the EU to the US.
However, it may be some time before organisations can rely on the new Framework as it has to be approved by the European Commission. At this stage, therefore, the Framework cannot be used for data transfers from the EU to the US and data exporters must continue to use Standard Contractual Clauses and to take the steps required to comply with the Schrems II decision of 16 July 2020.
And even when it is adopted, it will, like its predecessors (Safe Harbor and Privacy Shield) be open to legal challenge by privacy groups.
In any event, the Framework will not apply to transfers from the UK to the US, and the UK has previously indicated that the US is a priority for an “adequacy” partnership.

New UK International Data Transfer Agreement

Vlad Arutyunyan
Millie Pierce

On 2 February 2022 the UK Government’s Department for Culture, Media and Sport put before Parliament the International Data Transfer Agreement (IDTA), an addendum to the new EU standard contractual clauses (New EU SCCs) (Addendum) and various transitional provisions. The documents can be accessed here.

The IDTA has been created as the UK equivalent to the New EU SCCs for international data transfers. The EU commission modernised the EU SCCs on 4 June 2021. The New EU SCCs can be used by parties to incorporate standardised clauses into their contracts. These clauses deal with different sections, for instance for data controllers and processors. The IDTA is a standalone agreement that will apply to all transfers of personal data outside of the UK regardless of whether a party is a data controller or processor. Whilst there are a few exceptions, this includes data importers who are subject to the rules of the UK GDPR.

When the New EU SCCs were published on 4 June 2021, they didn’t apply in the UK due to Brexit. The IDTA and the Addendum have been created to replace the current SCCs used in the UK. The IDTA will take the binding effects of the European Court of Justice Schrems II[1] decision into account.

By addressing the necessary UK legal requirements, the Addendum will allow data exporters who continue to operate in the EU and UK to rely on the New EU SCCs without the need for an IDTA. The intent is to simplify the process for data exporters and will be supported by further guidance from the ICO on the risk protection steps that data exporters will need to undertake when transferring data.

The introduction of the IDTA and Addendum has been welcomed by the ICO, they have stated that “The IDTA and Addendum will also help to support the UK’s digital economy, by enabling the global flow of people’s personal data in order to deliver goods and services.

The ICO will continue to develop the following guidance to provide help and support for businesses:

  • Clause by clause guidance to the IDTA and Addendum.
  • Guidance on how to use the IDTA.
  • Guidance on transfer risk assessments.
  • Further clarifications to the international transfers guidance.

The ICO have stated that the IDTA and the Addendum “are immediately of use to organisations transferring personal data outside of the UK“. The ICO hopes, subject to Parliamentary approval, that these changes will grant parties more confidence when entering into data transfer agreements. The ICO have confirmed that if approved, the IDTA, Addendum and transitional provisions will come into force on 21 March 2022.

[1] Previously EU to US transfer of data was permitted under the Privacy Shield Decision. This was ruled to be illegal and stricter requirement for data transfer were expected based on the SCCs.