The European Commission and the United States announced an “agreement in principle” in March on the new Trans-Atlantic Data Privacy Framework (TADPF), designed to facilitate the flow of data between the EU and US, and address concerns raised in 2020 by the European Court of Justice in the Schrems II decision.1 US President Joseph Biden followed up on this announcement by issuing the Executive Order On Enhancing Safeguards for United States Signals Intelligence Activities in October 2022, which implements the US’ commitments to the TADPF. Among other things, the order bars US intelligence agencies from collecting individuals’ electronic data, including emails and text messages, transferred from Europe for purposes other than national security and requires any such collection to be proportionate and necessary.2
Most companies appear to support the TADPF as it enables more business transactions and data flow with Europe and brings some relief to the increasingly strict application of the GDPR’s data transfer rules; at the same time, if approved, it will be recognized by the EU Commission as affording appropriate levels of data protection. However, there remains some uncertainty about whether the order will ultimately meet the GDPR’s adequacy standard. As part of this process, the European Commission will draft a proposal for review by the European Data Protection Board, which must then issue an opinion. Next, a committee of EU member states will evaluate the proposal, and then finally, if the committee’s advice is positive, the European Commission will formally issue an adequacy decision for the new framework.3 It is unclear exactly how long this process will take but we expect it will be at minimum six months. Until then, it is likely that European data protection authorities will continue to scrutinize data transfers from the EU to the US. This leaves companies engaged in such transfers wondering what they should be doing in the interim. We have outlined several steps that companies can take now towards achieving TADPF compliance and ensuring continuity of their data flows.
Among all the uncertainty, the European Commission has made clear that companies must have strong obligations related to processing data transferred from the EU.4 Companies should therefore consider whether they wish to include the TADPF in their arsenal of data transfer solutions. If so, companies should re-familiarize themselves with the Privacy Shield Principles, on which the TADPF is based, and determine whether they can comply with its many requirements, including those around notice, choice, onward transfers, security, access, recourse, enforcement, and liability. Although it is not entirely clear at this stage what the exact requirements for TADPF compliance will be, it is reasonable to expect they will be similar to those for the Privacy Shield.
Until the TADPF is finalized, companies should continue using approved data transfer methods, such as binding corporate rules and standard contractual clauses5, and conducting transfer impact assessments (TIAs) as necessary. With TIAs, it is important to understand the risks that could threaten the security of the personal data involved in the transfer and determine which, if any, supplemental security measures are necessary or required given the importing country’s laws. Companies that carry out TIAs for the US may now wish to take into account, as part of their broader risk assessment, the enhanced checks and balances that President Biden's Executive Order introduced. When making these assessments, Dentons is able to leverage its extensive global network of local data privacy experts to best understand the relevant national security laws and how they impact a data transfer.
Companies looking to rely on the TADPF adequacy decision as a valid transfer mechanism if it is adopted will need to be certified by the Department of Commerce under the new Framework.6 In anticipation of this certification process, companies can start taking initial steps to prepare by updating their data maps and inventories and compiling the relevant policies and procedures that will require updating. Companies that still have an active Privacy Shield certification might consider renewing as this may make the transition to TADPF registration easier from an administrative standpoint.
The TADPF ultimately may not prove to be the long-term solution many have been seeking, because the TADPF may not survive various administrative and legal challenges in the EU and the US. Nonetheless, companies can and should benefit from the TADPF by relying on it as a transfer mechanism until it is ruled to be inadequate or unlawful.
On the same day President Biden issued the Executive Order, the UK government published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy, which announced “significant progress on UK-US data adequacy discussions” and set out their goal of “working expediently” to issue a US-UK adequacy decision.7 At the time of the announcement, the UK government hoped for a new UK–US data adequacy agreement “in the coming weeks” – it is unclear whether this will be achieved, not least because of the UK political developments that intervened, resulting in a new government, but it is reasonable to expect that the UK adequacy process will likely be faster than the EU adequacy process. Since the UK only allows for the transfer of personal data to countries where the transfer is consistent with a UK adequacy decision or is permitted under a safeguard or exception provided under UK law,8 companies will need to continue utilizing the currently valid data transfer mechanisms until an adequacy decision is made. In the interim, we generally recommend companies continue conducting their TIAs and either execute a standalone International Data Transfer Agreement to accompany a main contract to ensure compliance with the UK GDPR or prepare a UK addendum to the EU’s 2021 standard contractual clauses.9
Since the TADPF only covers transfers to the US, transfers from the EU to other jurisdictions without adequacy findings will likely remain subject to the current approved data transfer methods, including those involving TIAs. There does seem to be a recent heightened awareness regarding international data transfers that may result in new data transfer frameworks being executed between countries. As a recent example, in April 2022, the US together with Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan established the Global Cross-Border Privacy Rules (CBPR) Forum – designed to operationalize differing regulatory approaches to data transfers and establish new internationally recognized certification systems based on the CBPR standards developed by the Asia-Pacific Economic Cooperation.10 Another recent example, in September 2022, the data protection and privacy authorities of the G7 member countries met to discuss a new initiative, “Data Free Flow with Trust,” which focuses on developing a framework for international cooperation on data flows between governments as well as businesses. And of course, the UK Government is working intensely towards UK adequacy decisions – in addition to the US, other priority countries for adequacy findings (or “UK Data Partnerships”) include Australia, Colombia, Singapore, Dubai IFC, South Korea, and Singapore.
While we wait for news on the European Commission’s and UK Government's decisions on the question of US adequacy, Dentons' US Federal Regulatory and Compliance group and Dentons' Global Privacy and Cybersecurity group will continue to monitor and provide updates. If you would like to know more about your likely obligations with respect to the new TADPF, want to discuss your longer term data transfers strategy, or have questions about data transfer compliance, we are here to assist and advise on how to best prepare for these new obligations. Do not hesitate to get in touch with any of the key contacts listed here or your usual contact at Dentons.