We’re back to the drawing board when it comes to personal data transfers between the EU and the US.
The EU–US Data Privacy Framework was announced this time last year, with the hope of creating a legal precedent that would enable transatlantic data flows.
However, the European Parliament announced in February that it’s advising against the adoption of the framework because it doesn’t comply with EU law. The proposal grants too much leeway to the US government to monitor personal data, which contradicts the rights enshrined in the GDPR (General Data Protection Regulations).
Despite provisions in the text to bolster data privacy, and assurances from President Biden to curb government surveillance, EU lawmakers believe that the framework falls short.
It’s a familiar story, with the EU–US Data Privacy Framework being simply the latest in a series of failed transatlantic data transfer mechanisms.
The problems started when the Austrian privacy activist Max Schrems mounted a legal challenge against the Safe Harbour Agreement. The framework, which had been in place for fifteen years, was invalidated after Schrems successfully argued that US data protection laws failed to uphold EU laws.
The US has a more relaxed attitude towards data protection than the EU, granting organisations and the government greater control over the way personal information is collected and used.
This problem was exacerbated shortly after the collapse of the Privacy Shield, with the GDPR being announced the following year. Organisations were given two years to implement its requirements, which set in motion a major shift in the way the EU and the US regarded data privacy.
The EU enhanced the power that individuals have, while the US remains steadfast in loyalty to the private sector. Although a few states have introduced tougher data privacy rules, there are still very few federal-level laws on data privacy.
It’s hardly a surprise, therefore, that the successor to Safe Harbour – the EU–US Privacy Shield – met a similar demise. Amid even stricter EU rules, the faults were readily apparent, and it was invalidated after four years.
The latest proposal, the Data Privacy Framework, didn’t even have a chance to be challenged, with EU lawmakers spotting problems in its proposal.
What went wrong?
This time last year, things were looking good for the Data Protection Framework. EU President Ursula von der Leyen and US President Joe Biden said they’d reached an agreement in principle for transatlantic data flows, with Biden signing an executive order on the matter in October.
But the agreement still had to pass through the European Parliament’s LIBE (Committee on Civil Liberties, Justice and Home Affairs), and it was not happy with the proposal. In a non-binding draft proposal, it pointed out similar concerns that derailed previous frameworks.
The LIBE advised that the European Commissioner should not proceed with the proposal “unless meaningful reforms were introduced”. And, unfortunately, the sorts of reforms it wants to see are at odds with US law.
According to the committee, there are still no robust government surveillance safeguards or mechanisms that give EU residents’ transferred data “actual equivalence in the level of protection”.
The committee also noted that President Biden’s executive order didn’t prohibit the bulk collection of personal data by US surveillance bodies.
Moreover, the president – whether that’s Joe Biden or a successor – is free to revoke or amend executive orders. This could mean, for instance, that the US could expand the list of legitimate national security objectives, changing the way that personal data collection works.
All of this bodes poorly not only for the Data Privacy Framework but also for any mechanism to support transatlantic data transfers.
As Neil Brown, a tech lawyer at decoded.legal told The Register when summarising the problem: “No amount of paperwork will overcome what they perceive to be aspects of US law which they consider to be incompatible with the EU GDPR.”
What next?
The ongoing wranglings between US and EU lawmakers is bad news for any organisation whose business spans both sides of the Atlantic, and that’s a lot more common than you might think.
It’s not only businesses with an international presence that are affected; there are knock-on effects throughout countless sectors. The technology industry is one prominent example, with many of the world’s most common tech services importing personal data to US-based servers.
The collapse of the Privacy Shield – and with no replacement on the horizon – has left many organisations unsure about how to proceed.
Many organisations turned to SCCs (standard contractual clauses), which are effectively pre-approved templates containing rules for data protection.However, these also came under scrutiny from Max Schrems, which resulted in a restriction of their applicability.
For an SCC to be lawful, organisations and regulators must conduct a case-by-case analysis of them to determine whether protections concerning government access to personal data meet EU standards.
Despite this, SCCs remain the most appropriate method for international data transfers, but you must be careful when using them.
If you need help understanding your requirements or creating an SCC, IT Governance can help.
Our EU–US GDPR Data Transfer Assessment and Action Plan provides the support you need to comply with the GDPR while transferring personal data outside the EU.
We will conduct a thorough assessment of your data transfer practices and requirements, offering step-by-step advice on how to complete data transfers efficiently and in accordance with the GDPR’s requirements.
