26 Apr What’s new in Personal Data Transfers from the EU to the USA?

Authors: Giada Iovane, Luciana Di Vito and Marco Emanuele Carpenelli

On 25 March 2022, European Commission President Ursula von der Leyen issued a joint statement with USA President Joe Biden on reaching an agreement on the transfer of personal data from the EU to the USA[1]. In the future, such an agreement should fill the gap resulting from the invalidation of the Privacy Shield, which occurred following the well-known judgment of the Court of Justice of the European Union (hereinafter “CJEU”), the so-called “Schrems II” decision (C-311/18).

The joint statement referred to the “Trans-Atlantic Data Privacy Framework” (or “Privacy Shield 2.0”) and its principles (which can be found on the official European Commission website). However, this Privacy Shield 2.0 does not yet represent a legal agreement that can be used as the basis for allowing the lawful transfer of personal data to recipients established in the USA like an Adequacy Decision pursuant Article 45 of Regulation (EU) 2016/679, hereinafter “GDPR”.

Based on the initial and generic information that has been released by the European Commission and the American government, Privacy Shield 2.0 is expected to be based on:

• • • The identification of binding rules and safeguards to limit access to data by USA Authorities, while respecting national security;
    • A new two-tier redress system to investigate and resolve complaints of Europeans concerning access to data by American intelligence authorities, which includes a Data Protection Review Court;
    • The introduction of specific monitoring and review mechanisms.

Considering these latest developments, see below the practical and commercial consequences, for organizations when transferring personal data to the USA.

Before doing so, let us briefly review the regulatory events that have affected the issue of transfers to the USA.

Brief regulatory overview: From Safe Harbor to Privacy Shield

• • The legislation preceding the GDPR (Article 25 of Directive 95/46/EC) already provided for the need to ensure an adequate and at least equivalent level of protection for personal data when transferred to a third country (i.e., outside the European Economic Area).
  • On 26 July 2000, the so-called “Safe Harbor” was adopted: it was the first adequacy decision to regulate the transfer of personal data to the USA, which remained valid until the Schrems I judgment (C-362/14) in 2015. Safe Harbor, on the one hand, allowed American companies that complied with certain requirements to apply for inclusion on the “Safe Harbor List” and to benefit from the free movement of data. On the other hand, Safe Harbor allowed European organizations, by means of simple consultation, to verify that such third parties were really included on the list and had implemented the agreements in practice.
    • • • On 6 November 2015, the CJEU declared the invalidity of the Safe Harbor (essentially due to the power of interference of USA authorities[2], such as the National Security Agency) with the Schrems I judgment.
  • On 16 July 2016, the European Commission and the USA Department of Commerce signed a new agreement, Privacy Shield, with the aim of resolving the aforementioned problems of inadequacy as highlighted by the CJEU limited to the Safe Harbor decision. The Schrems I ruling was thus “easily” overcome with the Privacy Shield, which was based on a self-certification mechanism and consequent inclusion in the Privacy Shield List.
  • The Safe Harbor’s innovations can be specified: for example, an ombudsman / ombudsperson was established, meant to rule on complaints and reports from data subjects. Moreover, the right for data subjects to contact companies to which the Privacy Shield applied, and who were required to reply within 45 days from the moment they received the request was put into place. Notwithstanding these innovations, in the Schrems II judgment, the CJEU invalidated the adequacy decision due to the fact it failed to ensure adequate protection of the fundamental rights of data subjects whose data was transferred to the USA (it declared the mechanism of the mediator unsuitable, again highlighting an infringement of the equivalent protection principle, as the USA authorities continued to have access to personal data for national security purposes).

The current scenario: Available tools and (new) obligations

Since the details of the Trans-Atlantic Data Privacy Framework are yet to be defined, it has not yet replaced the Privacy Shield. As a result, from an operational point of view, the scenario that we have faced since July 2020 has not changed.

In the absence of an adequacy decision (Art. 45 GDPR), organizations may make use of:

• • • Standard Contractual Clauses (SCCs);
    • Binding Corporate Rules (BCRs);
    • the exceptions set out in Article 49 GDPR, as a residual remedy and within the limits provided for by the European Data Protection Board (“EPDB”) in its Guidelines.

With regard to the SCCs, it should be recalled that, although they have been updated following the Schrems II judgment, the SCCs are not sufficient in themselves anymore (as they were in the past). This is because of the inadequacy of the American data protection system regarding the considerable forms of interference by public authorities for reasons of national security. For this reason,  in addition to the use of the SCCs, the adoption of the “supplementary measures” identified by the EDPB (with Recommendations 1/2020 and 2/2020) would become necessary.

Therefore, organizations intending to transfer data outside the EEA, and more precisely, to countries without an adequacy decision, should:

• Map all personal data transfers;
• Carry out and document that they have carried out a TIA (Transfer Impact Assessment)[3] in order to assess the adequacy level of the third country and verify the need to adopt supplementary measures, such as, for example, pseudonymized data transfer, data encryption – in transit, at rest or end-to-end, data splitting, etc.;
• Integrate and update the privacy documentation in use (e.g., privacy notices, record of processing activities);
• Constantly monitor legislation and the indications of the supervisory authorities, so as to ensure maximum compliance with regulatory developments, also in order to avoid the application of sanctions[4].

Conclusions  

Even though the joint declaration of 25 March 2022 gave, de facto, the possibility for a new agreement to arise – the Trans-Atlantic Data Privacy Framework – doubts still remain on the modalities of resolution regarding the long-standing issue of the transfers of data to the USA. In particular, on the one hand, the willingness to intervene by means of an “Executive Order”[5] of the USA President, and not by means of an amendment to the ordinary legislation, which could also affect surveillance[6], might not be sufficient to avoid a new invalidation, as already happened with Schrems I and II. On the other hand, it would be useful to understand whether the new agreement will be modelled on an automatic transfer mechanism or whether, instead, as before, it will be based on the adherence of each American company to the new framework (as it would seem to follow from the Privacy Shield 2.0 fact sheet).

The new mechanism will hopefully not have significant elements of inadequacy, unlike its predecessors, and will make it possible to achieve the required level of protection. Strictly speaking, this mechanism should be subject to a more incisive legislative intervention on the part of the USA; it should provide, at the very least, for an automatic mechanism for transfers and thus avoid making their lawfulness subject part of the inclusion of USA companies on a special list.

In any case, it can be concluded that the new developments and all the compliance requirements mentioned above remain stationary for organizations. ICTLC is available to assist clients in the regulation of international data transfers.

[1] The EDPB’s recent Guidelines on “Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” are useful for identifying when a given activity gives rise to a “transfer” of personal data.

[2] Such interference may result from the access by USA public authorities to personal data transferred from the EU to the USA and the use of such data in the context of the PRISM and UPSTREAM surveillance programs based on Article 702 of FISA and Executive Order No 12333.

[3] It should be noted, in this regard, that ICTLC has developed a methodology for conducting the Transfer Impact Assessment (TIA) that includes, for example:

• processes for identifying transfers of personal data outside the EEA;
• processes for identifying and analyzing any local regulations, in force therefore in the country of the data importer, applicable to suppliers, in order to assess possible “interference” and possible risks to the rights and freedoms of data subjects; and
• processes for assessing, identifying and testing the adequacy and feasibility of the application of supplementary measures.

[4] It is recalled that the violation of transfer regulations falls within the administrative fine up to 4 % of the total annual worldwide turnover or up to EUR 20,000.000 (Art. 83(5) GDPR).

In this sense, we recall some decisions on the subject: CNIL on the use of Google Analytics; Bavarian DPA on the use of Mailchimp; Garante per la protezione dei dati personali with regard to the Università Commerciale “Luigi Bocconi”.

[5] To this end, please read the fact sheet where, at the end, it is expressly mentioned that the Executive Order was issued https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/.

[6] Although desirable, legislative action on security matters is considered difficult to achieve, particularly in the light of the very recent judgment of the USA Supreme Court in FBI v. Fazaga, which limited the individual’s right to question USA government surveillance activities.