Hashed & Salted | A Privacy and Data Security Update
The rules for transfers of data of European Union data subjects to U.S. companies have created an ever-evolving legal and political landscape for decades. In this digital age of the 21st century, the U.S. and the EU maintain an extensive trade and investment relationship driven in large part by the exchange of data across the pond. However, fundamental differences in law and policy surrounding data privacy and protection have contributed to an unstable framework for transatlantic data transfers. While the U.S. relies on a combination of legislation, regulation and self-regulating guidelines, the EU has in place comprehensive legislation with independent government data protection enforcement agencies. Quite simply, the EU treats the privacy of an individual as a fundamental right, while the U.S. does not.
To understand where we are today, we must review the history.
- 1998 – The EU prohibited the transfer of personal data to non-EU countries if those countries did not meet the EU “adequacy” standard.
- 2000 – The U.S. did not meet the EU adequacy standard, causing the U.S. Department of Commerce to develop the U.S.-EU Safe Harbor Framework to facilitate the flow of data from the EU and Switzerland to the U.S.
- 2015 – The Court of Justice of the European Union (CJEU) invalidated the U.S. EU Safe Harbor Framework as ineffective in protecting the personal data of the EU’s data subjects.
- 2016 – A revised framework, the EU-U.S. Privacy Shield, was established as an improved and valid legal mechanism to safeguard the privacy of individuals.
- 2020 – The CJEU struck down the EU-U.S. Privacy Shield as ineffective in safeguarding transatlantic data transfers because the U.S. was deemed not to adequately meet EU standards to protect EU citizen data from government surveillance.
- 2021 – The European Commission updated the EU Standard Contractual Clauses (SCCs).
- 2022 – Due to Brexit, the updated EU SCCs did not apply automatically to the U.K., resulting in the country’s Information Commissioner’s Office’s development of guidance for U.K. data transfers and requiring use of the International Data Transfer Agreement (IDTA), or the U.K. Addendum to the 2021 EU SCCs.
As things stand today, companies must adopt the newly updated EU SCCs and overlay the U.K. requirements with either the stand-alone IDTA or the new U.K. Addendum to the 2021 EU SCCs for each and every transatlantic data transfer. With an invalidated EU-U.S. Privacy Shield, executing these documents and allocating resources to ensure compliance with these written obligations is the next best option for EU and U.S. companies to facilitate data transfers from Europe to the U.S. These documents have intensified compliance obligations for businesses.
Meanwhile, companies on both sides of the Atlantic have been pining for a replacement for the EU-U.S. Privacy Shield to ease the burden of entering into EU SCCs for each and every transatlantic data flow. The Biden administration came into office grounded in the philosophy of multilateralism—cooperation among governments to solve problems—giving hope to a transatlantic agreement for a new, valid transfer mechanism. Questions continue, however. Just last month, the U.S. Supreme Court, in FBI vs. Fazaga, gave the U.S. government a more extensive ability to access private citizens’ personal data in surveillance cases under the Foreign Intelligence Surveillance Act of 1978 (FISA). In other words, it remains the case that the U.S. government has significant latitude to collect personal data (including names, contact information, and religious and political affiliations) of Americans, citizens of European nations and persons of any other nationality, to protect against the efforts of foreign governments and their agents to engage in intelligence-gathering aimed at the U.S. government.
Nonetheless, a mere three weeks after the Court’s decision, on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced a new agreement for transatlantic data transfers. While this announcement suggests an end to the uncertainty related to EU-U.S. data flows, a healthy dose of skepticism is warranted. Significant detail will need to be developed between the EU and U.S. negotiators to create a sustainable data transfer framework.