In July 2023, the EU and the US unveiled their latest endeavour, the Trans-Atlantic-EU-US-Data-Privacy-Framework, marking the third attempt to establish a smooth flow of data between these two regions. Before looking at previous attempts, let's first understand the concept of adequacy. Data adequacy refers to the level of protection provided by a third country (a country outside the EU or UK) for the transfer of personal data from the EU.
Data adequacy plays a crucial role in cross-border data transfers, as the GDPR prohibits transfers to countries that do not offer an adequate level of protection. The European Commission evaluates various factors, including legal frameworks, data protection laws, individual rights, and enforcement mechanisms, to determine if a country provides sufficient protection. When a country is deemed adequate, personal data can be transferred without the need for additional safeguards, such as standard contractual clauses or binding corporate rules.
Ensuring an equivalent level of protection as provided within the EU is essential when transferring personal data internationally. This safeguarding measure upholds the privacy and rights of individuals.
The EU granted the UK an adequacy decision, allowing data to flow freely between EU and UK organizations. The EU's EDPB grants this decision after assessing a third country's data protection laws and practices, ensuring they are "essentially equivalent" to European legislation.
In the absence of an adequacy decision, organisations must implement measures to protect data transfers. Depending on the concerns regarding the data protection laws in the target country, these measures may involve encrypting data so that only the originating organisation can decrypt it or fully anonymising the data. These safeguarding measures must be documented in a Transfer Impact Assessment, for which the EU provides a template.
Previous attempts at establishing EU/US data transfers
The initial effort was the Safe Harbour framework, which was deemed invalid in the Schrems I case. Subsequently, the EU and US embarked on negotiations to establish a replacement agreement, known as the EU-US Privacy Shield. However, this agreement was also deemed invalid in the Schrems II ruling.
Both rulings highlighted the disparity between US law and practice in granting protections to European citizens compared to European law. The US's FISA law only provides protections to US citizens, leaving citizens of other countries vulnerable. This discrepancy allows US authorities, within the boundaries of US law, to access the data of non-US citizens, potentially exposing EU citizens' data stored or processed in the US.
Over the years, EU courts have consistently found that data exports to the US violate the GDPR's safeguards, making them unlawful. In May 2023, Facebook's parent company, Meta, faced a record EUR1.2bn fine for their data exports to the US. Additionally, many smaller organisations have been found to unlawfully utilise services like Google Analytics and US-based email gateways. These court cases suggest that transfers of personal data to countries without an adequacy decision, particularly the US, cannot be adequately safeguarded, exposing organisations to potential legal consequences.
So, what's the score now?
Considering the current landscape, the ICO has not been particularly vocal regarding data exports to the US. However, they have published a framework to assess and safeguard data exports to third countries.
Following the EU's lead, the UK established a similar agreement with the US called the UK-US data bridge, which will be effective from October 2023. Both the Data Privacy Framework and the Data Bridge require US-based organisations to register with the new framework to show their compliance. It is important that EU and UK data exporters check for the presence of their overseas processors on that register.
It is highly likely that this latest framework will also be challenged in the courts (certainly in Europe) and very likely that it will be invalidated just as its predecessors were.
With these developments, it is crucial for organisations to stay informed and ensure they comply with the necessary regulations to protect personal data during international transfers.