After the failure of Safe Harbor and Privacy Shield, the EU and US sit again at the negotiation table to negotiate a new agreement aimed at avoiding the blockage of personal data transfers from the EU to the US, establishing new policies for transatlantic data transfers.
In order to clarify the vexed question of EU-US personal data transfers (which also covers remote access from a third country), it is, first of all, appropriate to specify the European regulatory framework governing data transfers to countries outside the European Economic Area (EEA). In principle, there are two ways that are most often used to enable the transfer of personal data to third countries outside the EEA. Transfers of personal data may take place (i) on the basis of an adequacy decision by the European Commission, or in the absence of such an adequacy decision, or (ii) if the data controller or processor provides appropriate organizational, technical, and contractual safeguards, including enforceable rights and judicial remedies for the data subject through instruments such as standard contractual clauses or Binding Corporate Rules (BCRs).
The difficulties in adapting the instruments governed by the GDPR to the complex regulatory framework of the United States has, over time, favored the emergence of specific agreements aimed at governing the transfer activities, a sort of “conditional adequacy” assessment to specific technical and organizational security conditions. The European Commission has, to date, entered into two agreements with the United States: the Safe Harbor and the Privacy Shield, both of which were invalidated by the Court of Justice in 2015 and 2020, respectively (“Schrems I” and “Schrems II” cases). In particular, the European court found the inadequacy of the agreements by comparing the range of fundamental rights and freedoms established by European law to the U.S. regulatory framework regarding intelligence and the exercise of data subject rights in opposition to public authority. Pervasive provisions such as FISA 702 and Executive Order 12333, for example, form the basis of the Schrems II judgment.
The absence of a precise instrument to govern EU-US data transfers has gradually created an impasse between European and US companies. Since the Schrems II case, many U.S. and EU companies have resorted to using the standard clauses prepared by the European Commission, one of the safeguards governed by Article 46 GDPR. On this point, the EDPB has recently reiterated the importance of conducting data transfer impact assessments of cross-border transfers as well as adopting any additional measures to protect the necessary level of data protection established by European law. In addition, as of September 27, 2021, only the new set of standard contractual clauses approved by the European Commission may be used to govern transfers of personal data outside the EEA.
The current context is compounded by the measures issued in recent months by the European supervisory authorities, aimed at sanctioning the unlawfulness of transfers or accesses of personal data to entities under US law. The most recent example is undoubtedly the one of the Italian data protection authority, which, in the context of the sanctioning measure against the Bocconi University of Milan, has contested the implementation of a software for the remote control of students that determined an illicit transfer of data to the United States.
The interest at stake is very high, due to the strong operational, economic, and social ties between the EU countries and the United States. Many European companies make extensive use of suppliers (or sub-suppliers) of digital services established in the United States, especially in the cloud computing sector. On the other side of the Atlantic, over-the-top players such as Facebook, Whatsapp and Netflix see the European market as a thriving opportunity for commercial expansion that can only be exploited by virtue of an EU-US data flows agreement.
Finally, the U.S. Chamber of Commerce has published an article highlighting the importance of a data flow agreement between European and U.S. companies. The paper introduces thirteen reasons why the adoption of the new Privacy Shield should be a priority, because of the potential negative consequences that would derive from the blocking of EU-US data transfers for citizens, workers and companies on both sides of the Atlantic. The change of baton in Washington could, in this sense, lead to an acceleration of negotiations. The new Biden administration has expressed interest in reaching a replacement agreement with the Commission as soon as possible.
Of a different opinion, the European Commissioner for Justice in the Van der Leyden Commission, Didier Reynders, who has recently highlighted, on the occasion of a public statement, a general slowdown in the negotiations of the new Privacy Shield. The “stone guest” at the negotiating table would be, once again, the complex U.S. regulatory framework on intelligence and investigative powers, a source of widespread concern for the European Commission.
This news takes on added significance because as of September 27, 2021, it will only be possible to use the new (and not also the old) Standard Contractual Clauses approved by the European Commission to govern transfers of personal data outside the European Economic Area, which expressly provide for the need to perform a transfer assessment pursuant to the Schrems II Judgment. To that end, DLA Piper has developed a legal tech tool to assist in the assessment of data transfers outside the EEA, which we discuss in this article, “How to Perform a Personal Data Transfer Assessment Under Schrems II.”
On the same topic, you can read the article “What changes with the new standard contractual clauses on personal data transfers?“.