EU/US Data Privacy Framework overview: the new Privacy Shield and a draft adequacy decision

What is it?

A new framework designed to replace the previous US Privacy Shield, which was invalidated by the European courts in July 2020, has been signed off by US President Biden and Ursula Von der Leyen and a draft adequacy decision prepared by the European Commission.

What does this mean for you?

1. The “new Privacy Shield” decision would remove the requirement for using SCCs and IDTAs and carrying out TIAs/TRAs for transfers to US entities and organisations under the new framework. This will reduce the administrative burden and speed up compliance for data transfers across the Atlantic.
2. Introduction of the new framework will allow for greater clarity and compliance for transfers of personal data across the Atlantic, removing the doubt that has remained despite the common practice of relying on SCCs and IDTA together with TRA and TUAs.
3. The new framework means individuals will be able to lodge a complaint and potentially seek redress through the independent Data Protection Review Court made up of member from outside the US government.

Why this legislation is required

The US currently does not have an “adequacy decision” in its favour from the European Commission under the EU GDPR 2016/679 that would deem its storage, management and processing of an individual’s personal data as sufficiently protective.

As a result, the US is not considered a safe jurisdiction for the transfer of personal data and additional EU approved data transfer mechanisms are required for global businesses transferring data to the US. In adopting the EU GDPR post Brexit (as the new “UK GDPR”), the UK has followed suit and Uk personal data is affected in the same way. This is primarily due to the US’ extensive surveillance powers over personal data which means that US public authorities always have an overriding interest and corresponding right to access the personal data of US and non-US citizens.

This has made transfers of European and UK personal data to the US a difficult process over the past two years.

The commercial context

The economic relationship between the EU and US is said to be worth 7.1tn USD as of 2022, with the US being one of the UK’s biggest trading partners. With increased globalisation, and service offerings by conglomerates, it follows that European and UK personal data that may follow such trades must be adequately held, processed, and protected in accordance with the EU GDPR (and the UK GDPR) the process.

An agreement in principle

As of December 2022, the European Commission has published a draft adequacy decision for the US with a final decision expected in Spring 2023. This brings the United States one step closer to an adequacy decision from the European Union pending the following:

• The draft adequacy decision goes before the European Data Protection Board and a separate data protection committee, who will provide the Commission with an opinion of the draft which is highly influential although not binding
• The draft adequacy decision will then receive the vote of MEPs.

If the drafting of the European Commission is approved by bote the European Data Protection Board and the committee and passed by the MEPs, then the adequacy decision itself must be drafted up.

What has changed?

The US have introduced new, independent, means of enforcing the data subjects’ legal rights in the US before an independent data protection review court with specialist judges who understand the rights afforded under EU and UK data protection legislation. These judges are not political appointments by the US government. Further, the court will appoint specialist advocates to defend data subjects’ interests.

The content objected to in the Schrems II ruling has been revised. This features the following:

1. The deletion of personal data; personal data is to be deleted if the purpose for which it was collected no longer applies.
2. Data protection obligations continue through to third parties who may receive it.

It is important to note that access to e-communications and any personal data contained in it, for the purposes of mass surveillance, is not entirely ruled out in the agreement in principle – the bar is simply higher, therefore there is still a possibility that the new “Privacy Shield 2.0” may receive objections from interested parties.

Additionally, there is a question mark over the long-term viability of Biden’s Executive Order, since it can be overturned by a further Executive Order by him or any other President, so this measure to achieve adequacy is of uncertain longevity. If it were to be “undone”, then it is very likely the EU’s adequacy decision would equally fall away.

What about the UK?

While the EU decision will not legally bind the UK, it seems very likely that the Uk will follow the EU guidance or put similar measure in place, if only for the practical and commercial reason of benefitting from easier transfer of data to the US and having a “level playing field”.

In even more detail:

The new US regulations, plus the Executive Order, aim to address two failings the CJEU cited when invalidating the Privacy Shield, namely lack of necessity justifying the surveillance of e-communications and personal data and ) proportionality.

Addressing lack of necessity and proportionality

The Executive Order given by the US President is an authoritative order which requires U.S. intelligence authorities to limit signal intelligence activities to what is necessary and proportionate.

This is done in the following ways:

• Necessity and proportionality are explicitly mandated
• Explaining what the mandate means
• Prescribing an oversight mechanism to verify that intelligence agencies follow the rules: via appointment of Civil Liberties Protection Officer of the Director of National Intelligence to assess whether intelligence activities remain within these bounds

Placing practicable guardrails around the permissible collection and impermissible collection of data (see Sec 2(c))