Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Another Summer, another hugely significant development for international data transfers. In 2020, it was the landmark Schrems II decision. In 2021, it was the adoption of the new Standard Contractual Clauses (SCC) and the Summer of 2022 brought with it a sweeping heatwave of extreme regulatory decisions signalling the incurable unlawfulness of every transfer of data to the United States involving an electronic communications service provider. This year, the development follows the relentless—and hopefully productive—work of the European Commission and the US Government to finally get it right and agree a framework that is able to pass the elusive “adequacy test”. The outcome has been the Commission’s adequacy decision on the EU-US Data Privacy Framework (DPF). Given the unbearable pressure on this topic, as highlighted by the aggressive enforcement activity seen this year so far, to say that this is a welcome development is an understatement, but what are the essential truths about it?
What should be obvious by now is that the restrictions on international data transfers, which were originally designed to avoid European data protection becoming redundant in the face of globalisation, have become all about restricting foreign states’ surveillance involving European data. This shift on emphasis from data protection governance to government access to data was triggered 10 years ago by Edward Snowden’s disclosures and as a result, the attention has exclusively focused on the powers and practices of US government agencies. Therefore, by far the most significant aspect of the DPF from a European perspective is simply the new enhanced safeguards applicable to US intelligence gathering practices. As a result, the success of the DPF will be entirely judged on whether the US government has managed to come up with a formula that makes its national security needs compatible with Europe’s democratic values.
At a practical level, the DPF suddenly provides a more ample choice of mechanisms to legitimise transatlantic data transfers. Benefiting from the full swing of options available under the GDPR, transfers of data to the US can now be undertaken by fully relying on the DPF adequacy decision or by using any of the tools recognised by the law as adequate such as BCR or SCC. Essentially a choice between Article 45 and Article 46 for the connoisseurs. In reality, the applicable data protection standards should be the same. Relying on the DPF adequacy decision means that the US importer will have voluntarily joined the new DPF program which requires compliance with its GDPR-inspired principles, while the other methods bind the importer to follow more traditional versions of the same. Which one to go for is unlikely to be determined by how onerous the obligations might be but by what suits the culture, strategic thinking and practical priorities of the parties.
The biggest practical impact of the Schrems II decision was the requirement to undertake Transfers Impact Assessments (TIA) every time that a data transfer was legitimised through SCC or BCR. And while full reliance on the DPF does away with this requirement, transfers to the US which are subject to the safeguards provided by SCC or BCR will still need to be complemented by a TIA. However, the European Commission has done everyone a massive favour by undertaking a thorough assessment of the powers of US government agencies to access European data and firmly concluding that this is compatible with European law. So any TIA that considers the ability of existing SCC or BCR to protect data transferred to the US will be able to reach the same conclusion. Whether the same will be true for transfers to other countries is, of course, a different matter given the European regulators’ strict approach to this issue.
The only remaining question about the DPF that nobody can answer with absolute certainty is whether it will survive any eventual scrutiny by the Court of Justice of the European Union (CJEU). What is a lot more certain is that the appetite for that scrutiny remains, and while European regulators cannot directly challenge the validity of the Commission’s adequacy decision, it only took 24 hours for Max Schrems himself to confirm that a legal challenge would be brought. As to the success of such a challenge, the truth is that anything can happen, but a fact that should not be ignored is that out of the 64 pages (excluding annexes) of the adequacy decision, nearly half of them are devoted to thoroughly assess the limitations and safeguards applicable to the access and use of personal data for national security purposes, as well as the oversight and redress mechanism. This is to say that beyond the political arguments and hyperbole, the legal analysis more than suggests that the DPF is robust, workable and lawful.
This article was first published in Data Protection Leader in August 2023.
Authored by Eduardo Ustaran.