Successor framework for Privacy Shield has been revealed bringing long-awaited hope for EU-U.S. data transfers

D&I Alert

Posted on

10 Oct


Dittmar & Indrenius > Insight > Successor framework for Privacy Shield has been revealed bringing long-awaited hope for EU-U.S. data transfers

On Friday 7 October, President Joe Biden’s administration published an executive order regarding a new EU-U.S. Data Privacy Framework, i.e. the replacement of the so-called Privacy Shield mechanism previously allowing transfers of personal data from the EU to the U.S. Although the executive order, in itself, does not legitimise trans-Atlantic data flows, it is a beacon of hope for European organisations having struggled with U.S. data transfers since the Schrems II judgement in July 2020.

Put simply, the General Data Protection Regulation (GDPR) requires that, wherever personal data exits the region of the European Economic Area (EEA), there must be an underlying transfer basis legitimising such international transfer of personal data. International transfers of personal data include actually transferring data for storage outside the EEA but also cases where EU-stored data is merely accessed from non-EEA countries. Such access is a common feature in many established cloud services with a corporate connection, for example, to the U.S.

Transfers specifically to the U.S. previously relied on the Privacy Shield framework, in which transfers to U.S. companies locally certified in the Privacy Shield system were justified by virtue of an adequacy decision by the European Commission. However, Privacy Shield’s adequacy status was invalidated on 16 July 2020 pursuant to the so-called Schrems II decision of the Court of Justice of the European Union (CJEU). This left European companies having to resort to alternative transfer mechanisms, namely standard contractual clauses, to legitimise transfers to the U.S. This alternative involves further hurdles, such as obligations to carry out transfer impact assessments and supplementary safeguards due to that same Schrems II decision.

Needless to say, Friday’s announcement of the new executive order was highly welcomed by relevant stakeholders. Until now, details on the preparation of the new framework have been rather limited with the most concrete update being that, in March this year, the EU and U.S. announced that an “agreement in principle” for a new data transfer arrangement had been reached.

Addressing Schrems II concerns – but for how long?

The new framework aims to address the various shortcomings of Privacy Shield identified by the CJEU in Schrems II. In particular, it sets out new binding requirements of proportionality and necessity for the actions of U.S. surveillance authorities contemplating access to EU data as well as a multi-layer redress mechanism for individuals affected by such access.

It will still take a while for these new safeguards to amount to an adequacy arrangement under the GDPR. The European Commission will now prepare a draft adequacy decision on the basis of the executive order and accompanying regulations. Following this, the European Data Protection Board, EU member states and the European Parliament will weigh in on the matter before the Commission is able to adopt a final adequacy decision, which is expected around March 2023.

However and very importantly, the new binding requirements of the executive order will afford increased protections for all U.S. data transfers already before an official adequacy decision. This is because the executive order will now be adopted by relevant U.S. intelligence agencies, thereby mitigating many of the risks to the protection of EU data as previously identified in the Schrems II decision. Consequently, it will be easier to rely also on, for example, standard contractual clauses and related transfer impact assessments to justify U.S. transfers since the local regime has been bolstered in terms of data protection safeguards. It can also be argued that the supervisory authorities will be less eager to investigate U.S. transfer activities in the highly evolving landscape.

For all its ambition, it already seems evident that the new framework will eventually be challenged in the EU courts. Therefore, the new solution is likely to merely buy time for a couple of years until ‘Schrems III’ is around the corner. Consequently, it is important to note that alternative measures, such as the recently updated standard contractual clauses, remain a key compliance tool to keep in place as a secondary mechanism in case the new U.S. adequacy arrangement is, yet again, invalidated or where it does not apply to a specific transfer. Moreover, standard contractual clauses are still the predominant transfer mechanism as regards all non-EEA countries, for which an adequacy decision is not available (e.g. India and China).

Key takeaways

The process for achieving a new arrangement for U.S. data transfers has certainly had its twists and turns. In our view, the following points are of utmost importance for European companies trying to keep up with the EU-U.S. data transfer saga:

  • The process for a U.S. adequacy arrangement has now kicked off and is expected to be finalised in March 2023 if not earlier.
  • In addition to the adequacy process, the introduced new framework increases legal certainty also for transfers relying on other transfer mechanisms, namely standard contractual clauses and related transfer impact assessments.
  • Although the adequacy determination is still down the road, its approach is likely to alleviate supervisory authorities’ eagerness to investigate U.S. transfers in the evolving context.
  • Ongoing work for the adoption of the new standard contractual clauses (by its deadline in December 2022) remains relevant both as an underlying secondary transfer mechanism for U.S. transfers and, naturally, for transfers to non-EEA countries without an adequacy arrangement, e.g. India and China.

Read also

Schrems II Judgement Deals a Blow to International Data Transfers Challenging Companies’ Existing Practices

Awaited Schrems II Recommendations and New Draft SCCs Published

European Commission adopts new standard contractual clauses for data transfers

More by the same author

First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.

The Finnish National Cyber Security Centre clarifies website cookie practices

Earlier in June, the National Cyber Security Centre of the Finnish Transport and Communications Agency, which supervises the use of cookies in Finland, issued a detailed decision regarding website cookie practices. In its decision, the National Cyber Security Centre assessed the necessity of cookies, the structure of a cookie banner, the standards for the consent mechanism as well as the nature of legitimate interest in connection with cookies. We have compiled the main points of the decision into this D&I Alert.

Life Sciences Regulation in Finland: Overview

A Q&A guide to life sciences regulation in Finland. This Q&A provides a high-level overview of key practical issues, including life sciences clinical trials, manufacturing, marketing, abridged procedure, pharmacovigilance, data privacy, packaging and labelling, biological medicines, medical devices, health care IT, combination products, borderlines, and natural health products. Read the Finland chapter we contributed: Life

Latest insights

Finnish Supreme Administrative Court Tightens Permitting Requirements for Wind Projects

Alert / 26 Sep 2023
Reading time 2 minutes

First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

Alert / 14 Sep 2023
Reading time 2 minutes