The Future of EU-U.S. Data Transfers

November 16, 2022

On October 7, the negotiations between the U.S. and European Commission regarding the future of the data privacy frameworks behind the Privacy Shield program were completed with the release of a Presidential Executive Order, passing the baton to the EU for the start of their adequacy process. Finally, after two years of limbo, the 5,000 businesses that rely on the EU-U.S. Privacy Shield framework got some insight into what steps the United States will take to uphold its commitment under a new EU-U.S. Data Privacy Framework.

In this episode of Privacy Abbreviated, host Catherine Dawson and guest host Rebecca Knight are joined by Cobun Zweifel-Keegan, managing director of the Washington, DC office of the International Association of Privacy Professionals (IAPP) to break down this recent executive order, what comes next, and what this all means for businesses.

_________________________________________

Related Resources

Two Peas in a Privacy Pod: Global CBPR and the EU-U.S. Data Privacy Framework

The Metaverse Will Blur the Lines Between Physical and Online Privacy

The Path Forward for Privacy Shield

_________________________________________

Show Notes

00:00 – In episode four of  Privacy Abbreviated, hosts Rebecca Knight, Policy Council for Privacy Initiatives at BBB National Programs, and Catherine Dawson, General Counsel and Chief Privacy Officer of Osano, sit down to discuss The EU-U.S. Privacy Shield frameworks.  

01:30 – In this episode, they are joined by guest Cobun Zweifel-Keegan, managing director of the Washington DC office of the International Association of Privacy Professionals (IAPP). IAPP is a resource for professionals who want to develop and advance their careers by helping their organizations successfully manage these risks and protect their data. In fact, they’re the world’s largest and most comprehensive global information privacy community. 

02:23 – To start the episode, Rebecca introduces the background of EU data transferring and how it’s developed over time. She begins by explaining the role of transfer mechanisms. Under the GDPR, there are essentially three main transfer mechanisms organizations can use to transfer the personal data of EU citizens to other countries. These mechanisms are binding corporate rules or BCRs. Corporations use these internally through standard contractual clauses or SCCs and adequacy. Adequacy is considered the gold standard of transfer mechanisms, and only about a dozen countries have received this recognition thus far, including the U.S..  

03:09 – Rebecca also further explains the context of adequacy, a formal decision made by the EU, which recognizes that another country provides an equivalent level of protection for data, data privacy, or personal data as the EU does. Rebecca then informs listeners of the five steps required to achieve adequacy: 

1. The EU Commission needs to draft an adequacy decision. This draft decision is provided to the European Data Protection Board (EDPB) for review.  
2. The EDPB reviews the draft adequacy decision and issues.  
3. The European Parliament takes that draft adequacy decision and then adopts a non-binding resolution on its position about the decision.  
4. 55% of the EU member states representing 65% of the total EU population must approve the adequacy decision. 
5. If approval goes through, the determination of adequacy is adopted and takes effect immediately.  

04:54 – Rebecca then notes that most privacy professionals expect to see the new framework take effect in March 2023. 

08:27 – Catherine then asks Cobun if he thinks the executive order addressed the concerns in Schrems II and will adequacy be granted. Cobun replies stating that the review was very comprehensive and succinct. He adds that he feels the U.S. executive branch has tried to be very creative in building a mechanism that would exercise as much independence as possible while still flowing from different areas of power within the executive branch.  

10:49 – Catherine follows his thoughts by asking:

1. Assuming adequacy is granted, do we expect it to be challenged?  
2. What should business leaders think about regarding how comfortable they should feel relying upon it?  

11:17 – Cobun responds by saying companies should be prepared to adopt these laws as absolute and that there will be a legal mechanism for transferring data from the EU to the U.S., assuming that that adequacy is granted. He also notes that while these decisions on adequacy should be applicable internationally, they are quite broad, and the U.S. has a different definition of adequacy.  

11:57 – Furthermore, in the U.S. case, there’s a voluntary mechanism represented by the Privacy Shield certification framework. This framework requires U.S. companies to commit to protecting individuals’ privacy. Once the commitments are made, they are enforced by U.S. law since they’re publicly enshrined in their privacy policies and, therefore, enforceable by the Federal Trade Commission. Cobun concludes this point by stating that businesses are held to them once a commitment is made, whether or not there’s an adequacy decision in place.  

17:46 – Catherine then asks Cobun whether or not businesses should self-certify under the Privacy Shield. Cobun answers Catherine by stating that while there is no particular advantage for a company to apply for certification early, it is an appropriate and practical step. He adds that because so many businesses will be applying early, there will essentially be a “line” that’s created. Because this will impact the speed of responses to companies and take considerable time to process, Cobun says businesses might as well self-certify now.  

19:27 – Catherine asks Rebecca if she has any advice for companies. Rebecca suggests the best thing for companies to do is to reach out to their IMS and stay up to date on what’s going on and what processes are happening regarding Privacy Shield.  

29:30 – To close the interview, Catherine asks Cobun and Rebecca how businesses should best prepare for this update. Cobun responds by saying that he believes there will likely be some scrutiny regarding data transfers that are transmitted to or take place outside the EU’s non-allied territories. He also believes that legislative advancements could potentially shift commercial practices within the U.S.. Rebecca adds that businesses should speak with their IRM and be prepared to move as quickly as possible due to the immediate enactment of this legislation once an adequacy decision is reached.  

Subscribe to Privacy Abbreviated to receive email notifications when new episodes air.