In an increasingly datafied and globalized world, businesses have become reliant upon the seamless flow of cross-border data transfers. Transatlantic data flows play an important role in the U.S. economy. The U.S. and the European Union (EU) conduct $5.6 trillion in transatlantic trade annually, most of which is facilitated by cross-border transfers of data.[1] With growing cross-border data transfers, lawmakers are paying heightened attention to the transfer of certain types of data, such as personal data. In keeping with a historical trend, the EU again recently scrutinized transatlantic data flows due to privacy concerns.
Increased EU concerns over personal data transfers could have a negative impact on certain types of transatlantic trade. For example, information and technology services, such as social media networks and cloud services, find themselves caught in the crosshairs as the U.S. and the EU work to ensure use of legal data transfer mechanisms in compliance with the General Data Protection Regulation (GDPR). This article discusses recent developments in restoring the transatlantic trade framework following the Schrems II decision.
The Point of No Return: Schrems II Upends the U.S. and EU Cross-Border Data Transfer Framework
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield framework in its Schrems II (C-311/18) decision. The Privacy Shield regulated exchanges between the U.S. and the EU of personal data for commercial purposes. Principally, the CJEU invalidated the Privacy Shield framework for its failure to provide EU citizens with effective legal redress, as well as its failure to adequately protect EU citizens from having their data intercepted by U.S. intelligence authorities. Although its decision upended the framework for transatlantic cross-border data flows, the CJEU left in place a tenuous path towards compliance by affirming the validity of Standard Contractual Clauses (SCCs) as acceptable data transfer mechanisms.
With the Privacy Shield dismantled, U.S. businesses now have been relying on SCCs that arguably were validated by the CJEU, yet do not necessarily provide the standard of protection for data demanded by European privacy laws. Importantly, if businesses are to rely on SCCs, those located outside the EU must engage in careful analysis of whether they will be able to ensure adequate protection according to EU law. This can be especially difficult for U.S. businesses due to certain national security laws, but the risk may be offset by supplementary measures.
The European Response: New Draft SCCs and Joint EDPB and EDPS Statements
To address these concerns, the European Commission published a decision on SCCs for the transfer of personal data to third countries pursuant to the GDPR, including new draft SCCs, which were open for public comment until December 10, 2020.[2] The new draft SCCs align the SCCs with the GDPR and provide safeguards for situations involving public authority governmental access requests in the data importer’s country.
On January 15, 2021, following the public comment period for the new draft SCCs, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted joint opinions addressing the new draft SCCs released by the European Commission. In their opinion discussing international transfers, the EDPB and EDPS commended the new draft SCCs’ handling of Schrems II as well as the increasingly widespread involvement of multiple data importers and exporters in complex data processing. Nonetheless, the EDPB and EDPS expressed the need for further clarity regarding potential public authority access and again suggested that businesses consider supplementary measures in addition to SCCs.
Upon approval, which is expected early this year, the new draft SCCs will replace the old, providing businesses with the appropriate safeguards to make transatlantic data transfers under the GDPR. Once adopted, businesses will have 12 months to replace any noncompliant SCCs with the new draft SCCs.
The U.S. Response: White Paper Guidance and Expectations Under a Biden Administration
With Schrems II’s effective invalidation of the Privacy Shield, the U.S. has to quickly find alternative legal mechanisms for cross-border data transfers. Regardless of the CJEU’s invalidation, the U.S. still requires compliance with U.S. Privacy Shield standards for those companies that are certified under the framework, so businesses may wish to continue to recertify with the U.S. Privacy Shield as a compliance measure.[3] Additionally, in September 2020, the U.S. government released a white paper, highlighting arguments and legal authorities for U.S. companies to consider when assessing how U.S. national security law protects EU personal data to ensure legal cross-border data transfers.[4]
More recently, the Biden Administration signaled its determination to put an end to the current international data privacy limbo with its appointment of Christopher Hoff as deputy assistant secretary for services at the U.S. Department of Commerce’s International Trade Administration.[5] One of his chief tasks will be to facilitate and oversee cross-border digital trade arrangements.
As yet, the legal framework for transatlantic cross-border may be tenuous, but steps by both European and United State officials provide clear indication of the will to find an expeditious solution. Businesses that conduct regular cross-border data transfers should consider the current scope of their SCCs and involve counsel to assess the new draft SCCs and the additional adjustments proposed by the EDPB Recommendations. In addition, companies should consider having data privacy plans that address the multiple countries (or even individual state or province laws) in which the data may be shared.
Note:
[1] The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows, Hearing before the U.S. Senate Committee on Commerce, Science, and Transportation (2020) (testimony of James M. Sullivan, Deputy Assistant Secretary for Services, Int’l Trade Admin., U.S. Dept. of Comm.) available at https://www.commerce.senate.gov/services/files/8F72849E-3625-4687-B8F5-71AFF4640D1F.
[2] The Draft Implementing Decision and Annex are available at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.
[3] Privacy Shield Overview available at https://www.privacyshield.gov/program-overview.
[4] September 2020 White Paper: Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II available at https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF.
[5] Christopher Hoff biography available at https://www.trade.gov/biography/christopher-hoff.
