The world has been in a state of ‘limbo’ since July 2020, following the landmark European ‘Schrems II’ court decision. The Schrems II court decision immediately struck down the ‘Privacy Shield’, which previously permitted certain personal data transfers between: (1) the UK and Europe; (2) USA.
The Schrems II court decision was focussed on transfers to the USA, but it had wider implications for transfers outside the UK and Europe to any country which did not have an ‘Adequacy’ finding from a GDPR perspective (since Brexit, these consequences have continued to apply in respect of transfers from the UK to USA under the UK GDPR).
What the Schrems II court decision highlighted was that due to the lack of safeguards for individuals (particularly due to the degree and manner of surveillance by USA governmental organisations), the ‘essential equivalence’ data protection safeguards required by the UK and European data protection regimes, was noticeably absent in respect of personal data transfers to the USA. This has left organisations struggling with trying to stay on the right side of the law when it comes to transfers of personal data to the USA.
Things now finally seem to be moving in the right direction, as President Biden signed an Executive Order on 7 October 2022, regarding the steps that the USA will take to implement its commitments under the European Union-USA Data Privacy Framework (which was announced earlier this year). The Executive Order provides for oversight and safeguards for individuals in the context of the USA’s surveillance and intelligence activities, which in turn should seek to facilitate international personal data transfers to the USA.
The Executive Order seeks to address the key failings which were highlighted in the Schrems II court decision, including by:
- Adding safeguards regarding USA intelligence activities, including a requirement for them to be carried out in accordance with defined national security objectives, and in a proportionate manner. Furthermore, the Executive Order requires account to be taken of the privacy and civil liberties of all individuals, irrespective of nationality or country of residence.
- Having legal, oversight, and compliance officials, responsible for ensuring that appropriate actions are taken to address any incidents of non-compliant USA intelligence activities.
- Requiring the U.S. Intelligence Community to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Executive Order.
- Providing review and redress mechanisms for individuals, in respect of their claims if they feel that their personal information has been collected through USA intelligence activities in contravention of applicable USA laws, including the enhanced safeguards mandated by the Executive Order.
The UK has also entered into discussions with the USA, and it has been confirmed by the USA Secretary of Commerce, that the USA intends to work towards designating the UK as a qualifying state under the Executive Order, so that it too can avail itself of the safeguards under the Executive Order.
The Executive Order is finally a step in the right direction in trying to close the transatlantic gap which has remained since the Schrems II court decision. However, the Executive Order does not currently result in an Adequacy Decision in respect of transfers from Europe to the USA under the EU GDPR, nor an Adequacy Regulation in respect of transfers from the UK to the USA under the UK GDPR. That is still to be addressed over the coming months, with it being envisaged that news on that will be forthcoming by the end of the first quarter of 2023.
Key points for organisations
Although the current announcement does not cure the ‘USA personal data transfers headache’, it does lessen the pain to a degree. In particular, the Executive Order is useful for organisations to factor into their Transfer Risk Assessments (TRAs) and Data Protection Impact Assessments (DPIAs) when considering international personal data transfers to the USA.
How we can help
International personal data transfers give rise to a number of legal considerations, including:
- Undertaking Transfer Risk Assessments (TRAs) and Data Protection Impact Assessments (DPIAs)
- Updating Privacy Notices
- Completing IDTAs
- Preparing Data Processing Agreements
- Undertaking Controller, Processor or Joint Controller assessments
Mills & Reeve’s national IT and data protection law team can assist your organisation with all of these and other legal requirements.
Please contact Jagvinder Singh Kang to arrange an initial consultation call.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.