Why EU-US Privacy Agreements Matter
In addition to regulations like GDPR and CCPA, international privacy agreements have become vital for commerce. The governance of EU-US data flows has come into the spotlight several times in recent years, and for good reason: the privacy agreements keep evolving, and there is currently no overarching framework for this key arena of trade. Data flows are big business: the US exported $31 billion in information and communication technologies to the EU in 2019 alone. Here is an overview of recent agreements and the current situation for businesses relying on data transfers between the EU and US.
Safe Harbor and Schrems I
In 2000, the EU and US agreed to the Safe Harbor Framework to govern EU-US data flows. In short, the Safe Harbor Framework required participating businesses to comply with seven principles:
- Notice: notifying individuals of data collection, processing, and the associated purposes
- Choice: providing an opt-out feature to individuals regarding third-party transfers, as well as an opt-in feature for any third-party transfer of sensitive data
- Onward Transfer: applying the notice and choice principles to any third parties receiving individuals’ personal data
- Access: granting individuals the right to access their own personal information, as well as an ability to edit or delete inaccurate data
- Security: implementing measures to protect against unauthorized access and use of data
- Data Integrity: ensuring that personal data is accurate and complete for its purposes
- Enforcement: establishing the necessary processes and requirements for resolving individuals’ complaints
Privacy Shield and Schrems II
With the Safe Harbor Framework invalidated, the EU and US reformulated their governing agreement into the EU-US Privacy Shield, which was enacted in 2016. The Privacy Shield sought to address and improve the deficiencies of the Safe Harbor Framework, particularly in strengthening requirements on the companies that process personal data, specifying the scope of US government access to data, and granting European citizens the needed tools to resolve Privacy Shield disputes.
However, the Court of Justice of the European Union invalidated the Privacy Shield in its 2020 “Schrems II” decision, citing the reach of US surveillance programs impacting the Privacy Shield and the incompatibility with GDPR requirements. Importantly, though, the court did not invalidate standard contractual clauses (SCCs), which are legal agreements between EU and non-EU parties.
Current State of Affairs
As of early 2021, the EU and US remain without a framework to govern data transfers between them. Establishing a replacement framework appears to be a priority for the US government, both in its prompt appointment of Christopher Hoff to lead EU-US data transfer negotiations and in US Commerce Secretary Raimondo explicitly naming a replacement as a priority. However, the path forward is unclear, with some sources reporting that a new agreement could take years while talks between negotiators ramp up. One of the key factors in a replacement framework could be the enactment of federal privacy legislation in the US, which would standardize privacy protections.
As negotiations progress, the absence of an overarching data transfer framework is having measurable impacts on the more than five thousand businesses that had previously relied on the Privacy Shield. A majority of these businesses are SMEs, and they need to follow stringent, case-by-case obligations to demonstrate that their data practices satisfy EU privacy requirements. Now, not only have businesses lost a reliable framework for their data practices; they are also footing thousands of dollars in legal fees to draw up new agreements that demonstrate that their practices are sound.
In handling EU-US data transfers, businesses in the EU and the US must comply with regulations like GDPR. However, US businesses find themselves at a disadvantage because, unlike EU businesses, they have no standard framework to satisfy privacy requirements in transferring data from overseas subjects. Without a Privacy Shield replacement, the onus is largely on US businesses to navigate the international privacy landscape.
For the time being, SCCs remain a lifeline for US businesses looking to process EU residents’ data. Other tools like binding corporate rules (BCRs) and derogations may provide alternative avenues for compliant data transfers. European Commission Head of International Data Flows mentioned in late April 2021 that new SCCs could be on their way in a matter of weeks. These updated SCCs may make it more straightforward for businesses to transfer EU residents’ data to the US. At Ethyca, we will share major developments regarding EU-US data transfers on our website and in our weekly newsletter.