A bridge to nowhere?
The Information Commissioner’s divergence from the approach taken by its erstwhile peers in supervisory authorities across the EEA in relation to restricted international data transfers has taken some of the pressure off UK entities transferring personal data from the UK to the US post-Schrems II and the demise of the so-called ‘Privacy Shield’. It also lessens the impact of the recent decision of the Irish Data Protection Commission – albeit at the insistence of the European Data Protection Board (EDPB) – against Meta Platforms Ireland Limited that transfers of personal data from the EEA to the US, which purported to be carried out in reliance on the safeguard of updated EC Standard Contractual Clauses (SCCs) and supplementary measures, had been carried out in breach of Article 46(1) GDPR, leading to the highest fine under the GDPR and an order to suspend processing being issued.
UK data controllers and processors would nevertheless welcome clarity over the lawfulness of ex-UK transfers of personal data to the US and a simple, bureaucracy-free, mechanism to achieve that. The announcement on 08 June 2023 that the UK and US governments had reached a “commitment in principle over ' ‘data bridge’”, as part of the wider Atlantic Declaration, will therefore have been welcomed.
But just how sturdy is the bridge, and will it stretch across the Atlantic?
More a flyover than a bridge, the UK’s solution to seeking to implement adequacy regulations as a safeguard permitting transfers of personal data from the UK to the US is premised as “the UK extension to the EU-US Data Privacy Framework”. The Trans-Atlantic Data Privacy Framework was announced in March 2022 and followed in October by the publication of President Biden’s Executive Order, which sought to address the shortcomings in the Privacy Shield framework identified by the CJEU in the Schrems II case.
The UK-US bridge is said to be contingent upon: (i) the Secretary of State making regulations under s17A Data Protection Act 2018 that she considers that an adequate level of protection of personal data is ensured, having conducted an assessment of adequacy having regard to the factors identified at Article 45(2) UK GDPR, consulting with the Information Commissioner as part of the process, in accordance with the 2021 Memorandum of Understanding on the role of the ICO in relation to new UK adequacy assessments; and, (ii) the US designating the UK as a qualifying state for the purposes of the signals intelligence redress mechanism at section 3 of Executive Order 14086, which enables certain public authorities in qualifying states to submit qualifying complaints regarding US signals intelligence activities to the Civil Liberties Protection Officer of the Office of the Director of National Intelligence in the first instance.
As an adjunct to the framework proposed between the US and EU, however, and mindful of the UK’s desire to retain its own European Commission adequacy decision which will require it to provide adequate protection in respect of onward transfers, it is likely that the UK data bridge will also be contingent upon the Trans-Atlantic Data Privacy Framework (‘TADPF’) being implemented.
That hit a roadblock last month when the European Parliament voted in favour of re-opening negotiations on the terms of the framework with the US – as set out in the Commission’s draft adequacy decision - further to a resolution tabled on behalf of the Committee on Civil Liberties, Justice and Home Affairs (aka LIBE Committee), further to its March report, to the effect that “the Data Privacy Framework principles issued by the US Department of Commerce have not been sufficiently amended, in comparison to those under the Privacy Shield, to provide essentially equivalent protection to that provided under the GDPR” and therefore concluded that “the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection” and called on MEPs to vote in favour of calling on “the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; calls on the Commission not to adopt the adequacy finding until all the recommendations made in this resolution and the EDPB opinion are fully implemented”. This outcome acknowledged, but also advanced upon, the opinion issued by the European Data Protection Board (EDPB), in which it expressed that it “positively notes the substantial improvements the EO offers compared to the previous legal framework” while identifying multiple areas requiring further “clarification” from the European Commission.
The response suggests that the framework may not be the privacy magic wand that was hoped, and has echoes of the process which led to the Privacy Shield being adopted despite objections and ultimately led to its demise.
The European Commission has not yet published any announcements in response to the vote, and is not bound by its outcome. Rather than making a u-turn or circling the roundabout with the US, the Commission may instead choose once again to ram its way through the roadblock.
In the meantime, the US is making great strides in implementing its Commitments. Prior to the vote, representatives of the Commission and the US had “made it clear that there was a great common will to find a definitive solution and to protect the rights of those affected effectively” during the 7th German-American Data Protection Day. In late March 2023, the Department of Justice gave a presentation on the redress mechanism under the Framework, indicating that updates to intelligence community procedures necessary to implement the safeguards committed to under the framework were in progress and “due within 1 year”, including the review by the Privacy & Civil Liberties Oversight Board (‘PCLOB’), as judicial appointments, security clearance and the drafting of court procedures also continued to be progressed. It was confirmed that while no requests for designation of a country as a qualifying state by the US Attorney General had been made, requests were being reviewed “now”. This requires the Attorney General, in consultation with the Secretary of State, Secretary of Commerce, and Director of National Intelligence (‘DNI’), to be satisfied that (i) the relevant state “require appropriate safeguards” in conducting signals intelligence of US persons’ personal information, transferred from US to that country, (ii) the country permits, or is anticipated to permit, the transfer of personal information for commercial purposes between it and the US, and (iii) designation would advance US national interests. Given President Biden’s recent remarks prior to his bi-lateral meeting with UK Prime Minister Rishi Sunak that “we don’t have a closer ally than Great Britain” and the special relationship was “In real good shape”, we don’t anticipate that the UK will have any issue in securing qualifying state status.
Subsequent to the vote, the US Department of Justice continues to prepare for the implementation of the framework. Having issued regulations establishing the Data Protection Review Court (‘DPRC’) in October 2022, the Department of Justice’s Office of Privacy and Civil Liberties issued notices establishing systems for the maintenance of records of the DPRC and proposed rulemaking to exempt such records from the Privacy Act.
Regardless of the Commission’s position, it appears that there is likely to be substantial further delay to any mechanism enabling efficient data transfers from the EEA/UK to the US, however short-lived that might prove to be. Pending any adequacy regulations in the UK or the adoption of the adequacy decision by the European Commission under Article 45 GDPR / Article 45 UK GDPR, entities transferring personal data to the US will need to continue to rely on other safeguards, such as the European Commission’s standard contractual clauses together with supplementary measures or the Information Commissioner’s International Data Transfer Agreement (‘IDTA’) (making sure to conduct a transfer risk assessment/transfer impact assessment), or a derogation.
If you require support in identifying your restricted international data transfers, establishing lawful bases for these, conducting transfer impact assessments, or drafting and negotiating data transfer agreements or standard contractual clauses and supplementary measures, please don’t hesitate to contact us.
Find out more about our data protection and data privacy services.