[Things don’t stand still in the world of data privacy. Check out our December 15, 2022 update here].
Is your head spinning trying to keep up with headlines about personal data? You are in good company. Here, we take on – at a high level – recent events impacting cross-border transfers of personal data—from the EU or UK to the U.S. Re the EU, there’s the U.S. Data Privacy Framework; re the UK, there’s the New Comprehensive Dialogue on Technology and Data.
What just happened?
On October 7, 2022, the U.S. made a third attempt to smooth the way for businesses transferring personal data from across the pond:
- President Biden issued an Executive Order and the Department of Justice issued new regulations, both addressing U.S. intelligence-gathering;
- the Commerce Department announced updated principles companies can adopt (“certify”): the EU-US Data Privacy Framework Principles. (This, to freshen up what had been the Privacy Shield and, before that, the Safe Harbor Principles).
The Court of Justice of the European Union (“CJEU”) rejected prior programs governing trans-Atlantic data flows, finding U.S. surveillance inconsistent with the GDPR. (Schrems I and Schrems II). Those decision created years of nausea-inducing uncertainty, and risk, for the many, many companies doing business between the U.S. and EU.
Both the European Commission and the UK government welcomed the U.S.’ recent efforts. Each has begun working toward an “adequacy” decision, for companies certified under the new U.S. Data Privacy Framework (“DPF”). Time estimates vary, but the EU process will take months; the UK signaled eagerness to act “expediently.” The U.S. also has pieces of the puzzle to complete (e.g., designate countries eligible for redress mechanism).
In the meantime, what to do about contracts transferring personal data?
Companies can’t (yet) certify to the DPF. So to transfer EU or UK protected personal data to the U.S. (or other countries without adequacy status), contracting parties need another cross-border transfer mechanism (on top of data protection agreements, required whether or not adequacy decisions materialize). There are other mechanisms (e.g., Binding Corporate Rules), but for most commercial transactions, that means entering into and complying with the EU’s Standard Contractual Clauses — and/or the UK’s variations on those clauses. (For deadlines and links, see our short blogs: https://www.techcontracts.com/2022/09/12/transfers-of-personal-data-gdpr/ and https://www.techcontracts.com/2022/03/29/contract-terms-current-uk-idta/). One critical aspect – time-consuming, complex, and mind-bending – is conducting “transfer impact assessments.” Those evaluate risk based on the receiving jurisdiction’s “laws and practices.” (EU SCC Art. 14). (The SCCs require such assessments to be documented and made available upon request to competent supervisory authorities). Specifically, Art. 14 requires the contracting parties to:
warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.
When conducting transfer impact assessments now, will the U.S.’ recent moves serve as a sufficient intervening change in relevant law to support contracting parties’ Art. 14 warranties? Contracting parties may find comfort (albeit not a guarantee) in assertions by various government actors:
- The European Commission (https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_6045) said:
The Executive Order introduces new binding safeguards to address all the points raised by the Court of Justice of the EU, limiting access to EU data by US intelligence services and establishing a Data Protection Review Court. (Emphasis added). … Why does the Commission think that the Court of Justice of the EU will not strike down the agreement again? The objective of the Commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism.
- Similarly, the U.S. Commerce Department declared:
These commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision and will cover personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-U.S. DPF. (Emphasis added).
Unsurprisingly, privacy activist Mr. Schrems, via his non-profit noyb, already criticized the efforts as insufficient. Whether the new regime survives inevitable legal challenges (aka Shrems III, or noybI) remains to be seen.
By Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US)
We cover data management and much more in our Tech Contracts Master Classes™ . You can sign up here.
© 2022 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock images.