EU-US Privacy Framework could make life easier for a data biz, if it survives
But what about the Brits? A lawyer gives their take on the privacy minefield
Analysis A new EU-US transatlantic data flow agreement is expected to be finalized by the spring of 2023. The EU-US Data Privacy Framework will enable the flow of personal data from "data exporters" in the EU to "data importers" in the US who have signed up to the agreement.
The Framework offers a flexible alternative to the European Commission's Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), which multinationals with a presence inside and out of the EU must otherwise use to share personal data (absent some small exceptions).
The European General Data Protection Regulation (GDPR) prohibits the transfer of personal data to "third countries" that do not guarantee an adequate level of data protection. "Third countries" are countries outside the European Economic Area. The European Commission declared a small number of third countries, such as Switzerland, Canada and Argentina as guaranteeing an adequate level of data protection.
Such an adequacy finding means personal data may be freely transferred from EU Member States to the adequate third country. However, the transfer of personal data to third countries which have not been granted an adequacy finding (such as the US) is prohibited, unless appropriate safeguards have been implemented. Currently, the main appropriate safeguards are SCCs and BCRs, which may be onerous to implement or expensive and time consuming, respectively.
More flexible data transfers were available in the form of the Privacy Shield and the Safe Harbor scheme, which were invalidated following the Schrems II and Schrems I decisions in 2020 and 2015 respectively. Multinationals will welcome the EU- US Data Privacy Framework, which offers a business-friendly alternative to facilitate transatlantic data sharing.
In October 2022, US President Biden signed an executive order, which mandates legal safeguards over US security agencies' use of EU citizens' personal data. This is a critical and long-awaited next step in the progress of the EU- US Data Privacy Framework.
The following step will be for the European Commission to make an adequacy finding, which could take as long as six months. If and when it does take effect, the Framework would operate as a replacement for the Privacy Shield.
However, Max Schrems, founder of privacy non-profit NOYB, already expressed reservations regarding the level of protection guaranteed by the EU-US Data Privacy Framework and a third challenge seems inevitable. If Schrems' third challenge repeats his earlier successes, multinational businesses' access to a flexible EU-US data transfer solution may be short-lived. Only time will tell, as this plays out over the course of 2023.
UK/EU divergence – The data protection and digital information bill
In the Queen's Speech of May 2022, the British government announced its intention to reform UK data protection law. The government previously expressed its desire to take advantage of Brexit to realize the apparently conflicting aims of creating a more business-friendly data regime that promotes growth and innovation, while continuing to protect individuals' privacy rights.
The draft Data Protection and Digital Information Bill was published in July 2022, in an effort to realize the government's intentions. Notwithstanding the government's ambitious claims, the Bill amounted to little more than an evolution of the existing UK GDPR, rather than a radical overhaul. However, the changes the Bill would have introduced regarding international data transfers potentially threatened the UK adequacy decision the European Commission made in June 2021.
The adequacy decision enables the free flow of personal data between the EU and the UK following Brexit. However, the European Commission may withdraw the decision if the UK data protection regime diverges too far from European data protection standards. Such a withdrawal would mean that organizations in EU Member States would be prohibited from sharing personal data with the UK, which would be costly and disruptive for multinational businesses with a presence in the UK and the EU.
The draft Data Protection and Digital Information Bill looks set to make further progress, following the announcement at the International Association of Privacy Professionals (IAPP) Congress 2022 in Brussels in November by DCMS deputy director Owen Rowland that the latest consultation on the Bill will commence shortly.
- EU lawmakers argue against signing US data-transfer pact
- US and EU looking to create 'critical minerals club' to ensure their own supplies
- Microsoft to Europe: We're setting an EU 'data boundary' from 2023
- France says non to Office 365 and Google Workspace in school
The need for reform is questionable; while the UK GDPR may not be perfect, it is fit for purpose in striking a reasonable balance between protecting individuals' rights and businesses' interests. The British government may dismiss the GDPR as overly unfriendly to business goals for data use.
However, it seeks to give individuals choice and control over how their personal data is used and imposes heavy penalties on organizations that fail to abide by the rules. If the UK government pushes ahead with its proposed reform, resulting in a UK data protection regime that fails to meet European standards, leading to a revocation of the UK's adequacy finding, companies will face a much-increased burden to enter into an appropriate data transfer solution, as well as carry out a transfer risk assessment, for transfers from the EU to the UK. The inevitable costs to businesses are likely to absorb at least some of the purported savings (or increased revenues from new data uses) the new legislation would make.
Whether the British government will press ahead with its proposed reform has yet to be answered, so the best advice to multinational businesses is to watch this space.
The European Commission's adequacy determination concerning the EU- US Data Privacy Framework is expected imminently; whether or not it survives the almost inevitable Schrems III challenge is unclear. Meanwhile, UK businesses that trade internationally may well be hoping that the government sees sense and leaves well enough alone, rather than risking the UK's adequacy decision and the free flow of data with Europe. ®