The European Commission and the Whitehouse announced on the 25th of March that an agreement in principle has been reached in relation to the transfer of personal data from the EU to the US. This is a milestone that has been long-awaited, however, it is not the end of the journey.
Background on Trans-Atlantic personal data flow - EU-U.S. Privacy Shield.
Max Schrems and his not-for-profit privacy rights organisation NOYB (none of your business) took cases against Facebook in Ireland that were escalated to the EU. In Schrems I, Safeharbour was invalidated, and in Schrems II, Privacy Shield was invalidated. These mechanisms were established to allow the safe transfer of data from the EU to the US. However, in Schrems II in July 2022, the European Court of Justice found that the US does not provide adequate levels of protection for personal data as required in the GDPR for such transfers to go ahead. Since then, EU and US negotiators have been hard at work to develop a replacement for Privacy Shield.
What was agreed on in the personal data transfer deal?
The US has agreed to put in place additional controls and governance about how government authorities use surveillance and establish an independent function to allow for redress. It also requires US agencies to adopt more stringent oversight of surveillance activities and consider privacy and civil liberty standards. Read the European Commission announcement here.
The European Commission and the Whitehouse hope that the effective implementation of these solutions will ensure compliance with the Schrems II ruling and enable an equivalent level of protection for EU citizens, thus allowing transfers to go ahead.
It is noted that under the agreement, US-based companies still only need to self-certify that they are compliant with Privacy Shield 2.0, as it is being called, which may be challenged. Another more impactful certification might be seen in introducing a European Privacy Seal that can be used pursuant to Article 46.
What does the personal data transfer deal mean?
Organisations have been going through the process of updating their standard contractual clauses (SCCs) for international transfers and undertaking transfer impact assessments (TIA). We recommend that they continue to do so. SCCs should still be used as they provide some legal context for the transfers and ensure that each party's roles, responsibilities, and liabilities are examined. TIAs should also continue to be used in line with the Schrems II, where it is maintained that an assessment of the safeguards for any transfer must be carried out. However, it does mean that these activities may not need to be as high a priority as they otherwise would have been without Privacy Shield 2.0.
In recent decisions by European Supervisory Authorities, we saw that the transfer of data through Google Analytics was non-compliant with the GDPR for reasons related to surveillance. The introduction of Privacy Shield 2.0 should ensure that those transfers can go ahead again.
What's in store for Trans-Atlantic personal data transfers?
It is still not entirely clear what the near future holds for transfers to the US. However, there is some light at the end of the tunnel. Organisations should continue to be vigilant and apply strict controls on any transfers, making sure those controls are documented in their SCCs and TIAs.
It is important to note that even with Privacy Shield 2.0, TIAs should still be carried out, making them as common as your data protection impact assessments.
For more information on SCCs and TIAs, check out our webinar, Transferring data outside the EEA under the new Standard Contractual Clauses.
Join our mailing list
Looking for actionable insights? Thoughtful solutions? Bite-sized advice you can put to work, right now? Get the latest tips in your inbox.