Welcoming the new year – and a new mechanism for EU-U.S. data transfers?

In October 2022, President Joe Biden’s administration published an executive order regarding a new EU-U.S. Data Privacy Framework, i.e. the replacement of the so-called Privacy Shield mechanism previously allowing transfers of personal data from the EU to the U.S. The executive order immediately sparked the European Commission’s process to assess the new U.S. regime and prepare a respective adequacy decision, which would bring considerable certainty and clarity to trans-Atlantic data flows. In essence, it was a beacon of hope for European organisations having struggled with U.S. data transfers, for example in connection with various established cloud services, ever since the prior Privacy Shield mechanism was invalidated by the Schrems II judgement in July 2020.

Wherever personal data exits the region of the European Economic Area (EEA), the General Data Protection Regulation (GDPR) requires an underlying transfer mechanism allowing such international transfer of personal data. International transfers of personal data include actually transferring data for storage outside the EEA but also cases where EEA-stored data is merely accessed from non-EEA countries. Such access is a common feature in many established cloud services with a corporate connection, for example, to the U.S. or India.

“The new executive order and consequent adequacy process have been warmly welcomed by relevant stakeholders.”

Transfers specifically to the U.S. previously relied on the Privacy Shield framework, in which transfers to U.S. companies locally certified in the Privacy Shield system were justified by virtue of an adequacy decision by the European Commission. However, Privacy Shield’s adequacy status was invalidated on 16 July 2020 pursuant to the so-called Schrems II decision of the Court of Justice of the European Union (CJEU). This left European companies having to resort to alternative transfer mechanisms, namely standard contractual clauses, to legitimise transfers to the U.S. This alternative involves further hurdles, such as obligations to carry out transfer impact assessments (TIA) and supplementary safeguards due to the very same Schrems II decision.

It therefore goes without saying that the new executive order and consequent adequacy process have been warmly welcomed by relevant stakeholders. For a long time, details on the preparation of the new framework were rather limited with the most concrete update being that, in March this year, the EU and U.S. announced that an “agreement in principle” for a new data transfer arrangement had been reached.

The situation as it stands

The new framework, introduced by the October executive order, aims to address the various shortcomings of Privacy Shield identified by the CJEU in Schrems II. In particular, it sets out new binding requirements of proportionality and necessity for the actions of U.S. surveillance authorities contemplating access to EU data as well as a multi-layer redress mechanism for individuals affected by such access. Moreover, the U.S. Department of Commerce has prepared a set of renewed commercial data protection principles, also known as the EU-U.S. Data Privacy Framework Principles, to which U.S. organisations will certify similarly to the setup under Privacy Shield.

“The new adequacy solution is likely to merely buy time for a couple of years until ‘Schrems III’ is around the corner.”

On the EU side, the European Commission is currently preparing an adequacy decision on the basis of the renewed U.S. regime. In fact, the Commission only recently, on 13 December, adopted its draft of the adequacy decision signalling that the process is indeed proceeding swiftly. The draft decision is currently being reviewed by the European Data Protection Board, after which the EU member states and the European Parliament will weigh in on the matter before the Commission is able to adopt a final adequacy decision, which is expected to happen in spring 2023.

The contents of the draft adequacy decision have already attracted attention, with the most obvious takeaway, naturally, being that the European Commission has now concluded that the U.S. ensures an adequate level of protection for personal data transferred to U.S. companies under the new regime. However, the adequacy determination would already be subjected to a first review within one year to ensure that all relevant elements of the new regime have been duly implemented and are functioning effectively in practice. Following that, there would be a regular reassessment at least every four years.

For all its ambition, it already seems evident that the new framework will eventually be challenged in the EU courts. Therefore, the new adequacy solution is likely to merely buy time for a couple of years until ‘Schrems III’ is around the corner. Consequently, alternative transfer measures, such as the recently updated standard contractual clauses for international data transfers, remain a key compliance tool to keep in place as a secondary mechanism in case the new U.S. adequacy arrangement is, yet again, invalidated or where it does not apply to a specific transfer. In particular, standard contractual clauses are still the predominant transfer mechanism as regards all non-EEA countries, for which an adequacy decision is not available (for example India and China).

Compliance checklist for the turn of the year – what to do while waiting for adequacy?

Although focus is mainly on the upcoming adequacy decision, it is important to note that the new binding requirements of the executive order will already afford increased protections for all U.S. data transfers even before an official adequacy status. This is because the executive order is now being adopted by relevant U.S. intelligence agencies, thereby mitigating many of the risks to the protection of EU data as previously identified in the Schrems II decision. Consequently, it will also be easier to rely on, for example, standard contractual clauses and related transfer impact assessments to justify U.S. transfers, since the local regime has been bolstered in terms of data protection safeguards. It can also be argued that the supervisory authorities will be less eager to investigate U.S. transfer activities in the highly evolving landscape.

In our view, data transfer compliance work should now be focusing on the following aspects :

  • Keeping a close eye on the horizon:
    The process for achieving a new adequacy arrangement for U.S. data transfers has certainly had its twists and turns and continues to do so. Affected European organisations should closely monitor the progress towards adequacy and, for example, assess its impacts on ongoing IT projects (for example, by including contract wording addressing the impact of a near-future adequacy decision on any potentially underlying U.S. data transfers).
  • 27 December is around the corner:
    Ongoing work for the adoption of the new standard contractual clauses, by its deadline on 27 December 2022, remains relevant both as an underlying secondary transfer mechanism for U.S. transfers and, naturally, for transfers to non-EEA countries without an adequacy arrangement, for example India and China. Moreover, standard contractual clauses will still be needed in spring 2023 for U.S. transfers until the new adequacy decision is in place, and also thereafter for such U.S. transfers, which do not fall under the new regime.
  • Keeping up the good work in adopting TIA processes:
    Despite the upcoming U.S. adequacy arrangement, the new requirements under Schrems II regarding transfer impact assessments (TIA) and supplementary safeguards are here to stay, in particular where standard contractual clauses are used as a transfer mechanism (i.e. transfers not falling under an adequacy decision). Many European organisations have been working, since Schrems II, to adopt the most convenient approach to TIAs and to align TIAs with pre-existing processes. This work continues.

Special thanks to Amanda Terhonen who participated in the writing of this article and works as an Associate Trainee at Dittmar & Indrenius in autumn 2022.

More by the same author

The Autumn and Final Countdown for DORA Have Kicked Off

The surge of new cybersecurity and data legislation in the EU is sure to keep companies busy digesting upcoming regulatory requirements and reviewing existing compliance measures. To name a few, this autumn marks the one-year countdown to the application of the Data Act, a few months until the first provisions of the AI Act kick in, and mere days until the NIS2 Directive should be implemented in EU member states. However, for the financial sector, the most significant regulatory development in this area is the EU’s Digital Operational Resilience Act, more commonly known as DORA.

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

Latest insights

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes

The Autumn and Final Countdown for DORA Have Kicked Off

Article / 1 Oct 2024