Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

Dec 30, 2020 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

As 2020 draws to a close, and with the announcement of the draft post-Brexit EU-U.K. Trade and Cooperation Agreement, it is a good time to reflect on what we have learned over the past months about the future of authorized transatlantic data transfer mechanisms.

During 2021, we are likely to see new ways for businesses to transfer personal data to the U.S. from both the U.K. and the EU that will resolve the cross-border data transfer compliance uncertainties introduced by the EU’s Schrems II decision on July 16, 2020. (Read our initial guidance on the effects of the Schrems II decision on transatlantic transfers—along with answers to common questions.)

After Brexit, we anticipate two separate frameworks will be needed to support transatlantic transfers. For transfers of personal data from the U.K. to the U.S., the draft EU-U.K. trade agreement may give us insight into the expected timeline of a U.K-U.S. agreement. In parallel, the EU continues high-level discussions with the U.S. for a new “Privacy Shield 2.0” framework to support ongoing EU-U.S. transfers.

In the meantime, reflecting on the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts. 

 

Takeaways from the Draft EU-U.K. Trade Agreement

The Christmas Eve draft trade and cooperation agreement between the EU and U.K. sets forth rules for their relationship after Brexit, including a conditional provision that would not deem the U.K. as a third country for purposes of personal data transfers from the EU for a period of up to six months, or until the European Commission finalizes an adequacy decision for the U.K., whichever comes first. In the interim, data will be able to flow freely in both directions between the U.K. and the EU until at least May 1, 2021, and as late as July 1, 2021.

For the U.K. to benefit from this arrangement, the trade agreement places a freeze on the U.K.’s ability to approve any independent mechanisms (including adequacy regulations, contract clauses, binding corporate rules, codes of conduct, or certifications) for the transfer of personal data to any non-EU country (including the U.S.) until the EU determines the U.K to have adequate data protections to receive data—or until July 1, 2021.

Why does the EU-U.K. draft trade agreement matter for U.S. businesses?

Because the freeze on the U.K.’s exercise of its ability to recognize new cross-border transfer standards will likely affect the timeline for the approval of any new mechanisms for U.K.-U.S. transfers. Since the U.K. cannot enter into an agreement with other countries for up to six months without forfeiting its free flow of data with the EU, businesses can expect that a new U.K.-U.S. framework will not arrive until after an EU adequacy decision.

This development does not change anything for those U.S. businesses with a compliance culture already focused on demonstrating and documenting high standards for cross-border transfers. It simply means the period without fully recognized transfer mechanisms is likely to continue through the first half of 2021, at least when it comes to the U.K.


In the Long Term, a Brighter Future for EU-U.S. Transfers

Restoring a robust EU-U.S. transfer framework endorsed by a European Commission adequacy decision is important not just for Privacy Shield businesses, but for all U.S. businesses that depend on cross-border data flows. It is a key element to restoring all transfer mechanisms to full strength after the Schrems II decision because it is only through such an agreement that the U.S. guarantees additional redress mechanisms for EU individuals, which apply regardless of how their data is transferred to the U.S.

Of course, it is also important for facilitating the vital economic relationship between the two trade partners.

Recently, recognition of the economic interests at stake was apparent in the testimony from U.S. Department of Commerce Deputy Assistant Secretary (DAS) James Sullivan in a December 9 hearing about the status of Privacy Shield before the Senate Commerce Committee. DAS Sullivan leads the office of the International Trade Administration that operates the Privacy Shield Frameworks.

Throughout his testimony, he made it clear just how important the goal of restoring cross-border data flows with Europe is to the U.S. government, focusing first on the scale of the economic issues at stake. In particular, he highlighted the $450 billion in transatlantic trade that involves digital services and the likelihood that “given the ongoing digitization of virtually every industry sector and the fact that cross-border data flows between the U.S. and Europe are the highest in the world—far more of that overall $5.6 trillion in trade is facilitated in some way by cross-border transfers of data.”

Restoring legal certainty around transatlantic data flows has thus been a major priority for the U.S. government, which is working to “negotiate mutually acceptable standards of data privacy through targeted enhancements to the Privacy Shield Framework.” 

By all accounts, negotiations are ongoing at all levels between the EU and U.S.—and stakeholders on both sides remain highly committed to finding a solution. 

The signs of progress in talks between the EU and U.S. remain strong and the U.S. commitment to a solution was on full display in the Senate hearing, including:

  • DAS Sullivan’s description of the “multiple workstreams” at the U.S. Department of Commerce and elsewhere that are involved in coming to a resolution with the European Commission and other EU stakeholders;
  • Chairman of the Commerce Committee, Senator Roger Wicker’s opening statement mentioning his recent “productive and informative” meeting with members of the European Commission;
  • Federal Trade Commission (FTC) Commissioner Noah Joshua Philips’s full support of the efforts of the U.S. Department of Commerce and re-iteration of the commitment of the FTC to continue enforcing the Privacy Shield promises of U.S. companies; and
  • Professor Peter Swire’s, review of the serious commitment to continuity on these issues has been evidenced over the past few administrations, which shows that there is likely to be a smooth transition to the new administration.


Plenty of evidence gives us hope that a new agreement to support EU-U.S. data transfers is on the way in 2021. 

 

What to Expect for Future EU-U.S. and U.K.-U.S. Frameworks

Both new agreements, EU-U.S. and U.K.-U.S., are likely to incorporate enhancements that would respond to the concerns of the Schrems II court relating to government surveillance of EU data. Though the multi-layered commercial protections in the Privacy Shield Frameworks were not at issue in the case, there may also be some targeted enhancements on the commercial side. If so, these are likely to echo the European Data Protection Board’s recommendations for “supplementary measures” to strengthen data transfer agreements, which include technical, contractual, and organizational enhancements.

Operationally, new agreements for EU-U.S. and U.K.-U.S. transfers (and Swiss-U.S., too) will almost certainly track the general structure of the current Privacy Shield Framework. That is, they are all likely to include:

  • Requirements for accountability (through self-certification and/or verification),
  • Transparency (such as public attestations and a list of participants),
  • Enforceable privacy policy commitments, and
  • No-cost independent dispute resolution mechanisms for individual data subjects (such as BBB EU Privacy Shield). 

 

Until new frameworks are in place, uncertainty will remain.

The legal environment for transatlantic transfers has not changed significantly since July. 

Privacy Shield remains invalid as a mechanism for transferring personal data to the U.S. from:

  • The EU, due to the Schrems II decision invalidating the European Commission’s adequacy determination for the EU-U.S. Privacy Shield Framework;
  • Switzerland, after an opinion from the Swiss FDPIC on September 8 recommended against relying on the Swiss-U.S. Privacy Shield Framework for ongoing transfers; and
  • The U.K., which continues to be bound by retained EU law until it is free to make its own adequacy regulation (likely after July 1, 2021).


Nevertheless, the EU-aligned standards established by the Privacy Shield Principles remain recognized in the U.S. The
U.S. Department of Commerce continues to operate the Privacy Shield Program. Perhaps most importantly to a company’s operations, the FTC continues to enforce Privacy Shield commitments.

These commitments include the promises about substantive data privacy practices baked into Privacy Shield businesses’ privacy policies and public self-certifications on PrivacyShield.gov. They also include the commitment to provide an Independent Recourse Mechanism for European individuals with privacy inquiries and complaints.

Accordingly, BBB EU Privacy Shield remains fully committed to operating our accountability program. Our dedicated staff continues to work with our participants to maintain their self-certifications and resolve any eligible privacy complaints received.

 

Keep Calm: Demonstrate and Document Data Transfer Practices

Given the current reality that no current transfer mechanisms will meet EU standards at this time, most businesses are choosing to keep their existing data transfer commitments in place, while revisiting any ongoing data transfers with a careful eye on the new requirements for additional safeguards and another eye on the potential for successor transfer frameworks in 2021. 

We are finding that most of our participants are choosing to maintain their participation in the BBB EU Privacy Shield program because it facilitates:

  • Demonstrable data protection practices. Maintaining practices in line with the substantive commitments of Privacy Shield is an important part of robust data transfer procedures, as it signals to partners, customers, and regulators that the business is doing everything it can to align its practices with EU principles during this time when compliance is impossible. 
  • Business continuity. Remaining in Privacy Shield, and abiding by its requirements, helps maintain an unbroken chain of responsible data practices while waiting for a sanctioned transfer method.
  • Consumer recourse. Businesses that wish to enhance the trust of their customers appreciate the value added by a commitment to provide consumers with free, independent recourse for privacy complaints. Maintaining this mechanism demonstrates to European partners and EU individuals that the business takes seriously the values underlying EU data protection law, even in a time of regulatory uncertainty for data transfers.


Each business situation is unique, so what you do to strengthen your compliance posture during this time depends heavily on the types of data flows you anticipate receiving. 

Much uncertainty remains for U.S. businesses that wish to lawfully receive the personal data of individuals from the EU, U.K., and Switzerland. Companies are best advised to document their data flows, transfer tools (including applicable derogations), and contracts—along with the efforts they are making to demonstrate their commitment to EU standards—until more clarity develops.

As the compliance landscape continues to evolve, we will continue to share updates as they are available. As always, please reach out to us with any Privacy Shield questions.

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more