Alert: Data Transfer Update

0
287

By Jonathan Armstrong, Partner, Cordery

Introduction

There have been a number of significant announcements this month on new data transfer deals. But will they make the life of a compliance professional easier? There is a shortage of detail on the various deals between the EU-US, UK-US and UK-Singapore, and whilst there is progress it is far from clear that data transfer issues are at an end.

Some specialist data protection terms are used in this update which are explained at www.bit.ly/gdprwords.

EU-US

On 07 October, US President Biden signed an Executive Order as part of an understanding with the European Commission for a new data transfer scheme, provisionally called the Data Privacy Framework (DPF) to replace Privacy Shield and its predecessor Safe Harbor. The Executive Order is known as ‘Enhancing Safeguards for United States Signals Intelligence Activities’.

The Privacy Shield scheme was struck down the by the European Court of Justice (ECJ) in July 2020. You can find background on the Privacy Shield scheme here. Privacy Shield replaced an earlier scheme known as Safe Harbor which was also struck down by the ECJ in October 2015. Anyone who was at the SCCE Compliance and Ethics Institute in October 2015, will remember the chaos that that caused at the time! Both schemes had been challenged as a result of complaints brought by Austrian campaigner Max Schrems. You can find out more about Mr. Schrems and the background to his complaints in our interview with him in 2016 here.

DPF seeks to deal with some of the concerns raised by the ECJ including:

  1. There will be an initial complaint mechanism for data transfer complaints to a new Civil Liberties Protection Officer.
  2. The US will establish a secondary new complaint mechanism in the US known as the Data Protection Review Court (DPRC). It is not yet clear whether complainants will have the right to be heard in the DPRC but it is proposed that an advocate will be appointed to make representations to the court on behalf of EU or UK nationals. There are also concerns that despite its name the DPRC is not in fact a court in the true sense.
  3. Improving safeguards to limit access to data by US intelligence authorities “to what is necessary and proportionate to protect national security”.
  4. Requiring US intelligence agencies to review their policies and procedures to implement these new safeguards.

Organisations will need to opt-in to be part of the DPF scheme. It is likely that a self-certification register will again be set up as under Privacy Shield and Safe Harbor.

What happens next with DPF?

The European Commission will now draft an Adequacy Decision and once they have drafted it they will consult with the European Data Protection Board (EDPB). They are not however bound by the EDPB’s opinion. There will also need to be consultation with EU Member States who could potentially block the deal, for example if opposition continues to build up a head of steam in Germany. The European Parliament will also have their say although the Commission will not be bound to follow any recommendations they make. Going against any EDPB recommendations in particular however would be a brave step from the Commission especially given the possibility of court challenge.

All of this could take time and it is unlikely that the deal will be in place before Spring 2023.

Will the EU-US Deal be Challenged?

Almost certainly yes.

In our view, the fact that the US is trying to cure the ECJ’s concerns by an Executive Order again makes the prospects for a successful challenge greater. One of the concerns previously was how President Trump seemed not to continue the momentum that President Obama had envisaged when setting up the Executive Order and given that the Executive Order could be overruled by a new President, concerns will remain.

The same day as the announcement, Max Schrems, whose complaints effectively led to the striking down of both Safe Harbor and Privacy Shield, said that he thought that the new deal was unlikely to solve the problems. He said that his pressure group NOYB would likely challenge the new deal if it believes that it is not in line with EU law. But Schrems/NOYB is not the only group with a track record of challenges – a number of other organisations challenged Privacy Shield in addition including Digital Rights Ireland and the French pressure group La Quadrature du Net and they are both likely to be watching these developments too

Much of the criticism seems to be based around the fact that the changes are made through an Executive Order which is effectively an internal directive by the President but not with the same force as Federal legislation. The Executive Order route has been used in the past including with the Executive Order passed by President Obama which sought to underpin the Privacy Shield deal.

Max Schrems also feels that the proposed DPRC is not a significant upgrade from the ombudsperson system which was provided for in the Privacy Shield deal and which was rejected by the ECJ. However, some on the US side say that constitutionally a true court is a hard thing for the US to deliver.

There were successful challenges to both Safe Harbor and Privacy Shield and challenges to the new deal look likely. Another EU consumer organisation, BEUC, has said that the new deal lacks substantial improvement. Ursula Pachi, the Deputy Director of BEUC said “However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be cancelled out by an executive order. The moment EU citizens’ data travels across the Atlantic, it will not be afforded similar protections as in the EU.”

UK-US

Michelle Donelan, who was appointed Secretary of State for Digital, Culture, Media and Sport last month, also announced on 07 October that the UK was also in talks with the US about a new scheme similar to DPF for transfers from the UK. She said that the negotiations had made “significant progress” and they also announced that the UK would be a qualifying country for the new DPRC. The plan seems to be to put the deal before the UK Parliament in early 2023. It seems then that the UK is trying to progress effectively parallel discussions with the EU, in a similar way to the way in which Switzerland progressed discussions for a mirror Privacy Shield deal before that was struck down.

The deal seems to be a part of a wider official dialogue between the UK and US Governments which will include an annual meeting of senior officials looking at issues like data, critical and emerging technologies and resilient digital infrastructure.

UK-Singapore

The UK is also exploring a data transfer agreement with Singapore. This is another potential deal where there is little detail at the moment. Michelle Donelan additionally announced on 07 October that she was in Singapore in part to discuss a data transfer deal between the UK and Singapore and to agree a timetable to conclude adequacy talks.

Singapore has toughened its data protection laws in recent years and it has an active Data Protection Authority, the Personal Data Protection Commission (PDPC). Amendments to the enforcement provisions of Singapore data protection legislation came into force on 01 October 2022 and, amongst other things, the financial penalty cap that the PDPC can impose increased from a fixed cap of S$1 million to up to 10% of the organisation’s annual turnover in Singapore depending on a number of conditions.

There is as yet no timeframe given for the Singapore deal.

What happens next with the UK deals?

We’re still awaiting details for both deals. In some respects for the UK deals this is new territory as no deals have been done yet in the UK post-Brexit.

What can companies do now?

The first thing to say is that this is not necessarily a done deal. Whilst the European Commission can technically sign a deal we can expect the European Parliament to want to have their say. We can also expect court challenges – and as we have said those challenges were successful for both Safe Harbor and Privacy Shield. So the net result is there will still be some delay before the new scheme takes effect and even then most organisations will want to regard it as a temporary deal and still work on their other compliance measures – especially doing double due diligence on the organisations they are sending data to and the measures in place to protect data in that jurisdiction.

Both the White House and the European Commission might be saying that they are confident that the deal will stand up to judicial scrutiny but we’ve been down this road before too with both sides saying that Privacy Shield would survive a court challenge. It didn’t. There’s too much at stake for businesses to rely on those words of comfort especially given the issues which remain with data transfer and the likely challenges.

Will this result in more litigation?

Challenges could also be made to the UK decisions. That could take the form of challenges in the UK Courts but there is also a possibility of a challenge being made at an EU level particularly if it is argued that any decisions the UK take undermine the Adequacy Decision from the EU made in the UK’s favour.

What is certain is that these three deals are in no way complete. Organisations will still need to look at some other way of legitimising data flows in the short to medium term. For most, that will still include a reliance on standard contractual clauses and IDTAs.