Third time’s the charm? EU, U.S. announced new data privacy framework

On March 25th 2022 the European Commission (EC) and the United States announced a new Trans-Atlantic Data Privacy Framework. The goal is to foster data flows between the two continents and address the concerns the Court of Justice of the European Union (CJEU) raised. Altogether, this is now the third time that the respective parties are agreeing on personal data transfer mechanisms. The European Data Protection Board has noted, that at this stage, no legal framework is constituted on which data exporters can base their data transfers. Find out below on how the Framework affects your company and what actions are appropriate to take.

What does this EU-U.S. data transfer reform mean for your company? This is a question still left open until further details on the Framework are being published. Despite the upcoming mechanism, organizations should ensure the adequate level of data protection when transferring data to third countries. There is reason to continue projects regarding international data transfers. Appropriate actions include:

Check, that your company’s data protection documentation is up to date. Reliance on the Privacy Shield is no longer valid. Ensure, that all personal data proceedings and arrangements are documented.

Acknowledge your company’s data transfers by charting countries to which personal data is being transferred. Your analysis should include the location of the service provider, locations of the servers, functions that have been transferred further to sub-processors , and access to data by controllers outside of the EEA/EU area. 

If personal data is being transferred outside of EU or countries approved by the EC, your organization should:

Conduct a transfer impact assessment (TIA-analysis). The analysis assesses the legislation of the country to which data is being transferred as well as additional protection measures, for example from the viewpoint of data security.

✅ Update new standard contractual clauses (SCCs) into your personal data processing agreements.

Update your possible binding corporate rules (BCRs).

While waiting for the new Framework on which data transfers can be based on, the GDPR enables the possibility to use the above mentioned SCCs within data transfers to third countries. These clauses are provided and preapproved by the EC and were updated last time in June 2021. In the latest version of the SCCs, the requirements set by the Schrems II ruling are met. The SCCs include specifications of the obligations of the importer and exporter of personal data.

SCCs can provide a useful tool for data transfers between the EU and the U.S., but it is important to be aware of their contents and how to use them before the utilization. The updated SCCs include an individualized set of clauses for four different transfer scenarios all of which are included in a 34-page document. This means, that the published clauses create a fairly complex entirety which may cause challenges in their use. It should be noted that the deadline given by the officials for updating SCCs utilized in your data processing contract is December 27th 2022. The SCCs are available at EC’s website.

Information on the upcoming Framework

In July 2020, the CJEU invalidated the Privacy Shield arrangement with its Schrems II ruling. Data transfers between the EU and the U.S. were largely based on this arrangement. After the ruling, there has been uncertainty surrounding data transfers and flows between the EU and the U.S. This uncertainty has affected companies acting in international markets and the social media giant Meta has threatened that it may be forced to shut down its Facebook and Instagram operations in EU-territory. In addition to Meta, Alphabet Inc.’s Google Analytics service has been deemed violating the GDPR. Officials on both sides of the Atlantic have been working towards a replacement for the now invalidated Privacy Shield in order to reduce the existing uncertainty.

Finally, over 1.5 years later, the EU and the U.S. announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework which should secure data flows between EU citizens and U.S. companies. Still, the details of the Framework are unknown, including the schedule of the new mechanism. The new Framework indicates an unprecedented commitment on the U.S. side to implement reforms regarding signals intelligence activities. The U.S. is to put in place new safeguards to ensure the necessity and proportionality of said activities. This means restricting the access to personal data by the U.S. intelligence agencies. These will ensure the privacy of EU personal data and a new multi-layer mechanism shall be created for EU individuals to seek redress if needed. In the Joint Statement of the EC and the U.S., the parties state that the new Framework shall provide a durable basis for data flows between the continents and enables commerce in all sectors of the economy, including for small and medium enterprises.

The next steps of the parties are to translate the proposed Framework into legal documents and to adopt those documents. For that purpose, on the U.S. side, the commitments will be included in an Executive Order which will form the basis of the EC’s assessment in its future adequacy decision. EC’s adequacy decisions have also formerly provided the basis for the earlier data transfer arrangements.

Between the EU and the U.S., more data is being transferred than anywhere in the world. As they say, third time’s the charm. Fingers crossed the old phrase holds true here, too!

Whenever in doubt about data protection legislation, or any other legal matters, always consult your legal expert. We are here to help you and your business thrive!