On Friday 7 October, US president Biden signed an Executive Order which, alongside the regulations issued by the Attorney General, implements into US law the agreement in principle announced in March on EU-US personal data flows (the Data Privacy Framework or DPF).
This is a significant development towards restoring seamless transatlantic data flows, which, as the White House reminds us in its fact sheet, “are critical to enabling the $7.1 trillion EU-U.S. economic relationship”.
How are the Schrems II concerns dealt with?
The EU Commission has welcomed the Executive Order, explaining that it “introduces new binding safeguards to address all the points raised by the CJEU” in Schrems II. These include:
- placing additional “necessary and proportionate” limitations and layers of oversight on the US intelligence services access to personal data; and
- establishing an impartial and independent redress mechanism (including a newly formed “Data Protection Review Court”) to investigate and resolve complaints regarding data access by those services.
What next?
The EU Commission will now prepare a draft adequacy decision and launch its adoption procedure, which includes obtaining an EDPB opinion and EU Member States's approval. This process typically takes a few months. Personal data will then be able to flow freely to US companies certified under the DPF (following a commitment on their part to comply with a detailed set of privacy obligations).
Meanwhile, the US Attorney General will evaluate the EU in order to designate it as a qualifying state or regional economic integration organization. This then enables EU individuals who submit qualifying complaints to access the DPF’s redress mechanism. US officials consider this likely to happen “in the coming period”.
Looking further ahead, the DPF may well be challenged in the courts after its formal adoption. Privacy activists such as noyb have already publicly criticised it, although the EU Commission (and others) remain confident the DPF can withstand such challenge.
What about the UK?
Last week, the UK and US governments also announced progress on UK-US data adequacy. The UK welcomed the Executive Order and is "working expediently" to progress its own data adequacy assessment of the US. Meanwhile, the US intends to work to designate the UK as a qualifying state under the Executive Order. Both countries have agreed to conclude the adequacy work in the weeks ahead, with the UK government planning to lay adequacy regulations before parliament in “early 2023”.
What does this mean in practice for organisations?
For now, transfers to the US remain challenging and transfer impact assessments (or for the UK, transfer risk assessments) still need to be completed. For EU-US data flows, it was hoped that the DPF would be formally adopted by 27 December 2022, which is when the ‘old’ EU SCCs must be replaced by the new 2021 ones in all existing contracts. This may not happen in time, and organisations should be considering how they plan to address this repapering exercise for US transfers. In light of recent developments, they may reasonably choose to prioritise repapering contracts for material data flows that will fall outside the scope of the DPF (or UK equivalent).
Once the DPF is in force, it is likely that organisations will in any event still need to rely on EU SCCs (or the UK equivalents), for example for transfers to non-certified US entities. Helpfully, the EU Commission has clarified that all the DPF’s agreed safeguards in the area of national security (including the redress mechanism) will be available for all transfers to the US, regardless of the transfer tool used. This, and the existence of the DPF more broadly, will at least make the risk assessments required for any transfer relying on the EU SCCs (or the UK equivalents) significantly easier to complete in future.
In the more immediate term, these latest developments move us significantly closer to the resolution of the shortcomings identified in Schrems II and, whilst not yet removing all challenges, certainly start to change the dials in the assessment of risk for US transfers.