Data transfers to the U.S. - Update October 2022
Legal mechanisms needed to transfer personal data to the U.S. look set to become less complex in 2023, following a Presidential Executive Order this month.
Looking forward to less complexity
Since July 2020, U.K. and E.U. authorities’ refusal to recognise the U.S. as providing an adequate level of data protection has caused significant regulatory risk for E.U. and U.K. based companies reliant on transferring personal data to the U.S. as part of their everyday business activities.
Work has started on Privacy Shield 2.0 to replace the system that was invalidated by the Court of Justice of the European Union in 2020. The European Commission has indicated that it may recognise the U.S. as offering protection to individual’s rights relating to their data in the coming year.
In the meantime, however, it is vital that any data transfer to the U.S. has a mandated legal mechanism in place to ensure that the transfer is lawful. Read the full article for further information on steps that should be taken now to keep your data flowing.
E.U. - U.S. Privacy Shield - Background
The Privacy Shield was a framework for self-certification agreed upon by the U.S. Department of Commerce and the European Commission, and was one of the main mechanisms that provided safeguards to enable the transfer of E.U.
On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled in a court case, Data Protection Commissioner v. Facebook Ireland, Maximillian Schrems (Schrems II), that the Privacy Shield failed to provide adequate protection for the rights of E.U. citizens and so was invalid.
Current Status
The big concerns for the European Commission and U.K. Information Commissioner’s Office (ICO) are access to data through covert U.S. security surveillance and individuals’ lack of redress mechanisms.
Currently the U.S. is not recognised, by the U.K. and E.U. regulators as a country that provides adequate protection to the rights of their citizens regarding their data.
Without an adequacy finding, organisations sending personal data to the U.S. must take additional steps to make the transfer lawfully. With the original Privacy Shield no longer valid, other options include:
Binding Corporate Rules; and
Standard form contracts approved by the European Commission and ICO, commonly known as the Standard Contractual Clauses (SCCs), and the International Data Transfer Agreement (IDTA) respectively.
Future Changes Expected
A Presidential Executive Order, earlier in October 2022, paved the way for enhanced protection of personal data in the U.S.
The European Commission has confirmed that the steps introduced in the new Presidential Executive Order help address concerns for protecting individual rights when data is processed in the U.S. This paves the way for an adequacy decision to be voted on by member states of the E.U. in 2023. An adequacy finding by the ICO is likely to follow.
If approved, an updated Privacy Shield 2.0 will reflect new arrangements to bring it in line with General Data Protection Regulation (GDPR).
U.S. companies importing data will likely need to be Privacy Shield 2.0 compliant to take advantage of any adequacy finding. However, it should allow for simpler contracting mechanisms for data flows in the future.
For Now?
Most transfers of personal data to the U.S. are carried out under approved contracts, either the E.U. Standard Contractual Clauses (SCCs) or the U.K. ICO International Data Transfer Agreement (IDTA), depending on the origin of personal data. In each case, a data transfer impact assessment is needed in addition to the contract to ensure that data rights are protected.
The deadline for phasing out the old versions of the SCCs is 27 December 2022, so now is the time to make your final checks and change any contracts that will become ineffective.
Companies with U.S. subsidiaries should start to review their processes and begin thinking about how they will work towards Privacy Shield 2.0 compliance in their U.S. operations.