Do not get caught out! EU/UK-US Data Transfers in Muddy Waters

Iga Sloan

If you are a US business offering goods or services in the EU or the UK and you used to rely on the Safe Harbor Framework (Safe Harbor) for international data transfers, your boat was rocked when the Court of Justice of the European Union (CJEU) gave its decision in Schrems I. In 2015 it invalidated the international data transfers framework between the EU and the US. This came as a result of Snowden’s revelations and a complaint from Max Schrems, who expressed concern to the Irish data watchdog that his personal data, as sent by Facebook Ireland to Facebook Inc (US), was accessible by US intelligence. The invalidation of the Safe Harbor led to the creation of the Privacy Shield certification programme. This in turn was invalidated by the CJEU in its decision in Schrems II, following a similar argument by Schrems that the US intelligence service still had indiscriminate access to personal data once it reached the US.

It was clear that the data transfers relying on the certification regime had to stop, until a new international data transfer mechanism could be found. This would likely be costly and in the meantime serious steps would need to be taken by the US government to mitigate any risks associated with the powers afforded to the US intelligence authorities. The guidance for businesses on how to navigate the consequences of the invalidation- which was due to be provided by the European Board of Data Protection (EBDP)- was being released slowly and thus a long period of uncertainty began. Any company with its servers located in the US, generally became a less favourable vendor for European or UK businesses in B2B arrangements, as it was more cost efficient and safer for the EU/UK businesses to ensure that no data was transferred to the US.

The end of the last year brought a glimmer of hope for businesses relying on data transfers to the US, as President Biden issued the “Executive Order on Enhancing Safeguards for the United States Signals Intelligence Activities” aiming to implement the newest EU-US Data Privacy Framework (DPF) which requires the US government to restrict the previously indiscriminate access to personal data by US intelligence. The same Order also ensures a two-tier redress mechanism to be made available to EU residents in case of their right being violated. Following from that, the European Commission issued a draft adequacy decision for the US. The draft decision was subject to a review by the EBDP , and in February it issued an opinion, 5/2023, in which it emphasised that some aspects of the DPF ought to be further clarified. Following from this the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the Committee) urged the European Commission to refrain from adopting adequacy relying on the DPF, on the basis that it “fails to create actual equivalence” with the EU’s data protection regime. The decision on adopting the DPF is expected later this year, and then would be passed on for approval to the Council of the European Union.

If adopted, the decision would be a very welcome step in the right direction for businesses and would facilitate for the free flow of data between the EU and the US. Do watch this space though as it is not finalised, and Max Schrems has already expressed his concerns regarding the new proposed arrangement. For now, however, nothing changes, and businesses still need to utilise other international data transfer mechanisms e.g. Standard Contractual Clauses in case of the EU; and the International Data Transfer Agreement in the UK.

Businesses outside of the UK/EU must still comply with additional GDPR and UK GDPR requirements, including appointing an Article 27 representative, if they wish to do business in the UK/EU. This representative acts as a liaison between the company, data authorities and data subjects in respective regions.

As part of its embedded GDPR compliance software, Leo can be appointed as an Article 27 representative both in the UK and the EU. All communications with clients are done via Leo’s Document Exchange module and its GDPR Representative Channel thus helping avoid unsecure emails. The service and our software keep you compliant and safe, and it’s the best way to ensure good business continuity across borders. It’s easy to be set up with Leo in a matter of days. Do get in touch if you are established solely in a jurisdiction outside the UK/EU and have been selling or wish to sell your goods and services in Europe to get this important protection in place.

You can find our more about:

Leo’s GDPR Solution here

Leo’s GDPR Representative channel here

Cryptoasset Firms Brought Under UK Financial Promotion Regulations: A Comprehensive Analysis

The rapid growth of the cryptocurrency market over the past decade, with digital assets becoming increasingly mainstream, has caught the attention of regulatory...

Read more
GDPR Accountability: avoid fines, adherence is easier than you think.

While updating Leo’s privacy and GDPR governance modules in our RegTech Software we realised that one of the most important principals of GDPR-...

Read more
Global 28/06/23
GDPR and AI crossroads: How to balance Data Privacy and AI Governance?

What’s happening? Everyone is talking about how to regulate AI. Though it looks like that’s all it is, just talks. Yet, on the...

Read more
Global 27/04/23
Do not get caught out! EU/UK-US Data Transfers in Muddy Waters

If you are a US business offering goods or services in the EU or UK, and you used to rely on the Safe...

Read more
Global 19/01/23
Why are companies crazy about Online training?

Online training has become incredibly popular in the last 3 years. COVID-19 pushed this to become the first source of training for companies.

Read more