99: Attack of the Clones: the latest EU-US data sharing pact
The European Commission and the US Government have announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. Will this remove the current barriers to EU-US data transfers, and does it point the way for a future UK-US framework?
A long time ago
To give some context to the importance of the new EU-US data protection discussions, we need to consider the restrictions currently in place around transferring personal data to the US from the UK or the EU and look back to the history of sharing personal data with the US.
Under the current data protection laws, organisations are restricted from making transfers of personal data outside the EU unless certain exemptions apply. For example, international data transfers may be made if the receiving country is deemed ‘adequate’ i.e. it gives an equivalent level of protection for personal data as the EU does. The UK regime mirrors this approach, and these restrictions on international data transfers have caused difficulties with transferring personal data to the United States.
When organisations in the EU send personal data to organisations in the US which are subject to surveillance laws, that transfer is illegal unless stringent safeguards are put in place. The safeguards required create an almost impossibly high bar for compliance, severely limiting the ability to transfer personal data from the EU to the US. The current UK regime again mirrors this position.
The US and EU originally put in place a mechanism known as the ‘Safe Harbour’ which purported to provide sufficient protection of personal data to allow personal data to flow freely from the EU to the US. The Safe Harbour was struck down in 2015 over concerns about a lack of privacy rights for EU citizens and the wide-reaching surveillance powers of the US. The ‘Privacy Shield’ was then put in place and was struck down in 2020 for similar reasons, including concerns that the US intelligence-gathering did not offer sufficient rights of redress to EU citizens.
In the absence of the Safe Harbour or the Privacy Shield, organisations based in the EU need to rely on one of the other exemptions set out in the GDPR, which require more of an administrative burden than relying on an adequacy decision. The decision which struck down the Privacy Shield scheme also suggested that organisations may not be able to rely on those other exemptions when transferring data to recipients in the US who are subject to US surveillance laws. This creates a serious compliance challenge for organisations using US-based IT infrastructure and services. For a live example of that, consider could using Google Analytics be a breach of data protection law?
In a country far, far away
Whilst the EU-US framework has been agreed in principle, the details are still thin on the ground. The information released so far about the framework does not go much further than outlining some broad principles, which will need to be translated into legal documents on both sides of the Atlantic before the framework has any legal effect.
The principles themselves are positive, promising commitment to strengthen civil liberties in the face of US intelligence-gathering through interception of signals (with enhanced oversight of those activities) and establishment of a new redress mechanism.
Whether this new framework is successful in allowing an easier flow of personal data will depend on how far the framework addresses the issues raised by the European Court of Justice (ECJ) when it struck down the Privacy Shield. The commitment to a new redress mechanism for individuals in the EU is clearly an attempt to address one of the key shortcomings identified by the court, but whether the mechanism succeeds will depend on the detailed implementation. Those tasked with drafting the text of this new framework will have their work cut out for them in finding solutions to the ECJ’s concerns.
Once the text is drafted, organisations will not be able to implement the new framework until President Biden issues an executive order in the US and the European Commission issues the necessary adequacy decision under the GDPR.
A statement released from the White House estimates that the deal will enable a flow of data which underpins more than $1 trillion in cross-border commerce.
Coming soon, to a court near you?
Given the history, it would be surprising if this new framework does not face a challenge in the courts.
Max Schrems, a privacy campaigner who was instrumental in the Safe Harbour and Privacy Shield being struck down, promptly poured cold water over any new hopes that may be emerging. In his tweet, Schrems says that this new framework puts ‘Politics over law and fundamental rights’ and suggests that this framework may fail like the ones before it.
Schrems’ non-profit organisation NOYB (which stands for ‘None of Your Business’), has greeted the announcement with scepticism. In a publication of NYOB’s first reaction, Schrems stated that this new framework exercise is playing ‘the same game a third time now’, leaving little room to doubt that this framework will be challenged as the Safe Harbour and Privacy Shield were before it. In that same publication, NYOB suggested that they expect this issue to be back at the Court within months of the framework being finalised.
However, since Brexit the UK is no longer bound to follow EU decisions. We know that the UK may well choose to make a decision of its own in regard to sharing data with the US.
A new hope?
The UK’s own data protection regime is, for now, largely a holdover from the European rules which applied here until the end of the Brexit transition. That inheritance includes the CJEU decisions on transfers of data to the US. Organisations in the UK transferring data to the US currently face the same hurdles as their European counterparts and competitors. However in the Queen’s speech, delivered on 10 May, the Prince of Wales announced a new Data Reform Bill, indicating that the UK may be considering a move away from its EU-law roots.
Since the end of the Brexit transition the UK government has announced that it will prioritise striking data adequacy partnerships with the US, among other countries.
In September last year the Department for Digital, Culture, Media & Sport (DCMS) issued a consultation that included broad-brush proposals about how the UK would approach making decisions about international data transfers. The consultation suggested that such decisions should ‘appropriately account for the duty of governments to keep their citizens safe’ and be ‘based more heavily on an assessment of the real-world outcomes of data protection regimes’. In December the UK and US issued a joint statement which emphasised their shared commitment to a ‘prosperous future by promoting… exchange of data across borders’.
This all suggests that the UK government is inclined to take a more relaxed approach to US surveillance activities in any future international data transfer arrangements. However, that aspiration currently has to be weighed against the risk that if the UK starts to permit transfers which would be prohibited under the EU regime then this could trigger the repeal of the arrangements which currently permit free transfers of data from the EU to the UK.
The completion of the EU-US framework would enable the UK to pursue a similar arrangement without jeopardising the freedom of transfers between the EU and UK.