An explainer: Personal Data flows to the US - what's going on?

I'll start of by saying that my audience for this is non Data Protection people, who just want to know what is going on. I know some terminology isn't exact, but it's not my intention to be perfect; I'm trying to make this digestible.

TL;DR: Nothing to see here, carry on eating your cornflakes

You may have seen news or commentary to the effect that President Biden has signed an Executive Order that will allow the free flow of data from the EU to the US again.

Before you start jumping with glee, let me explain what has really happened and what impact it may have.

First, a bit of history: When UK was a part of the EU, we followed the same rules as the EU in terms of data transfers. Basically, that meant that personal data transfers to the US were prohibited, unless there was an “appropriate safeguard” in place. Until 2020, that appropriate safeguard was known as Privacy Shield. Pretty much, as long as a US company was signed up to that, then we could transfer personal data out there. If they didn’t have Privacy Shield, then they had another option; Standard Contractual Clauses (SCCs) ??- plus a few more but I’m not going into that.

Then, a few things happened:

1)???An Austrian activist and lawyer called Max Schrems raised a case with the Irish Data Protection Authority complaining that Facebook were transferring data amongst their business units, across to the US, using SCCs, but that was unlawful as the surveillance laws in the US made those SCCs invalid.

2)???As a result, in July 2020, the courts decided that SCCs were actually sort of ok, but that Privacy Shield was not. They invalidated Privacy Shield pretty much immediately and made changes to the SCCs, putting the onus on the data exporter to use additional due diligence checks.

3)???End of 2020 Brexit happened but UK retained “adequacy” with the EU which means that we can transfer data to Europe as long as we keep an equivalent data protection regime.

Whilst the EU now had new SCCs to use and a new process to follow, which included having to do transfer impact assessments, the UK was a little bit in limbo. The ICO decided that the UK could continue to use old EU SCCs or UK SCCs as they tweaked and renamed them, until ?earlier this year.

The UK then brought out the UK International Data Transfer Agreement and the Addendum to the new EU SCCs, for use with all new transfers from September 21st, 2022. UK exporters also must do International Data Transfer Assessments, similar to the EU.

So, what’s happened now?

Well, the US has looked at all the reasons that the EU invalidated Privacy Shield and drawn up a list of all the things that they are putting in place to correct them and signed them into law. (This is essentially the Executive Order; a just-add-hot-water-instant-law.)

Once this happens, then in theory the EU can take a new look at the US approach to data protection and decide if it wants to allow a new Privacy Shield to be created, possibly by March 2023.

That doesn’t mean that as of now, a new Privacy Shield has been created.

It doesn’t mean that we can now stop with the SCCs/IDTA and assessments.

It does mean that things might change.

If it does, that will only impact companies who are subject to EU GDPR and won’t apply to UK Controllers/data exporters. We can’t use a safeguard that the EU created, because well, Brexit.

In the meantime, the UK has let the EU do all the work with the US and has then ?jumped on the coat tails and is now also in talks with the US to set up their own appropriate safeguard for UK-US transfers.

The outcome of that could be a UK-US new Privacy Shield.

But it might not. The UK must be mindful of the fact that if it allows the free flow of data to the US, and the EU doesn’t, then that could undermine their adequacy decision with the EU. Being unable to transfer data to the EU would be a mess.

How likely is it that a new EU-US Privacy Shield will be approved?

It could be, but if it is, it is likely to be temporary. An analysis of the Executive Order suggests that the things on the list don’t actually fix the issues that the courts said invalidated the old Privacy Shield (not planning to go into those detail here).

If by any chance, a new EU-US Privacy Shield does get approved then we know that Max Schrems will be straight on it (it is his raison d'être ?- or whatever the Austrian equivalent is) and it’ll probably last a couple of years at best before we end up back where we are now.

The only real winners in this are all the lawyers repapering all the contracts each time something changes.