More About Transfers of Personal Data to the USA
As of today, the British decision to approve transfers to the USA comes into effect. This means that transfers to the USA are now legally permissible from both the United Kingdom and the European Union. The decisions currently in place likely also mean that further transfers from the USA can be accepted - these are known as onward transfers.
For some time, European businesses have faced challenges in using service providers in the USA after the European Court of Justice, in its "Schrems II" decision, determined that the USA does not offer a sufficient level of protection for personal data. The British have, for the most part, followed the same path as the rest of Europe.
Following prolonged discussions with the European Commission, the USA has implemented legislation to address the issues identified in the Schrems II decision. This summer, the European Commission declared in its adequacy decision for the USA that the country ensures a sufficient level of protection for personal data transferred from the EU/EEA to certified U.S. companies under the Data Privacy Framework scheme (DPF). It is also assumed that changes in American legislation, along with the adequacy decision, make it legally permissible to transfer data based on the European Commission's standard contracts (SCC).
Starting today, the British government's decision to approve transfers to the USA comes into effect - the so-called "data bridge" decision. This means that British businesses can also transfer personal data to the USA, whether to American-certified companies under DPF or based on IDTA (the British counterpart to the EU's SCC). Businesses should be aware that special requirements apply when transferring sensitive personal data and information about criminal convictions.
The changes that have been put in place make it easier to conduct business with the USA in the future. However, there are still some uncertainties regarding the practical implications of the formal decisions by the European Commission and the British government. As many have pointed out before, it is also uncertain whether the framework in place will stand the test of time.
Onward Transfers from the USA to Other Third Countries
For businesses, it is practically important to understand what applies to any onward transfers that are made by the data importer in the USA, for example, if a data processor in the USA uses a sub-processor in another third country outside the EU/EEA. Must the European data controller perform independent assessments of such onward transfers, or can they rely on the adequacy decision currently in place, along with the EU-U.S. Data Privacy Framework and/or the British "data bridge" decision? The General Data Protection Regulation Chapter V does not, in principle, require any additional measures to be made when businesses transfer data based on an adequacy decision.
Businesses can, therefore, trust that the legal framework in the USA is sufficient and need not worry about onward transfers when transferring to a certified company. However, both the U.S. framework and adequacy decisions for other countries have been criticized for weak regulation of onward transfers. If the EU-U.S. framework is challenged in the European Court of Justice, it is not impossible that this weakness will be addressed. Nevertheless, the rule for now is that transfers - and onward transfers - may take place as long as the framework stands.
Transferring to the USA Based on Standard Contractual Clauses – Requirement for TIA?
In principle, a Transfer Impact Assessment (TIA) is required when businesses transfer personal data to a third country outside the EU/EEA without an adequacy decision for the specific transfer. At the same time, the European Commission has assessed in the adequacy decision that relevant U.S. laws are proportional and necessary, which is essentially what the TIA should evaluate. The same applies in the United Kingdom. It is somewhat unclear today what documentation the European supervisory authorities will require, but likely, one will go a long way by referring to and possibly aligning with the European Commission's assessments.
The Road Ahead
Regarding the EU, we do not know at this time whether the adequacy assessment and the DPF framework will withstand potential testing in the European Court of Justice. NOYB - European Centre for Digital Rights, has stated on its website that it has already prepared various procedural alternatives to challenge the new framework in the EU Court of Justice - and a French member of the EU Parliament has already filed a complaint about the framework with the European Union General Court. The Norwegian data protection authority states on its website that the new framework is most likely to be tested in the European Court of Justice and that there is a risk that the new rules will be overturned. If that happens, it will become difficult to transfer personal data to the USA again. Therefore, as a best practice, we recommend that businesses continue to monitor their transfers, including onward transfers. Businesses should also consider whether additional documentation and measures beyond what is strictly necessary at present are appropriate to ensure resilience. One concrete measure, in any case, is to have a reasonable overview of data flows, including ensuring that the data processing agreements entered into have sound provisions related to the use of sub-processors.
Regarding the British "data bridge" scheme, it will be interesting to follow the development of similar agreements with other third countries. The proposed new data protection act in the United Kingdom includes a proposal to change the threshold for adequacy from "essentially equivalent" to "not materially lower," which could lead to a somewhat lower threshold for approval of third countries under the "data bridge" scheme than in the EU. According to guidelines published by the British government, countries such as Australia, Brazil, and India are on the list of prioritized candidates for approval of transfers from the UK.
You can learn more about the adequacy decision in a previous article published on Wikborg Reins' website.
The Norwegian data protection authority provides answers to some practical questions about the rules for transferring personal data to the USA on their website.