The expectation is that the new administration will look to reverse the deterioration in relations between the US and Europe. Leaving the politics aside; for a number of years there has been a battle between Brussels and Silicon Valley over the scope for EU companies to transfer data to the US. Put simply, the EU prevents data being freely transferred from the EU to the US, which is why many Silicon Valley companies have operations in the EU. There have been past compromises (the “safe harbor and privacy shield”) but these measures were invalidated by the European Court following challenges by Max Schrems, an Austrian citizen. The privacy shield was invalidated in July 2020 in a case called ‘Schrems 2’.
The restrictions on transferring personal data do not just concern the US. The European Data Protection Board “EDPB” has assessed every countries’ privacy ”set up” and only 13 (including Isle of Mann and Channel Islands) were deemed adequate. The US is not one of the 13 countries. Following Schrems 2 therefore EU companies are back to using “standard contractual clause” and doing due diligence on US companies. This involves conducting a detailed assessment as to how each US company processes data – which has to be properly documented in case the decisions are subsequently challenged – and negotiating the standard contractual clauses, the terms of which many US companies will find to be too onerous. If there is an imbalance of power the EU company may not be able to complete these processes and have to find another company to work with.
Can the new administration permanently unblock this issue?
US vs EU Privacy framework.
The GDPR is the most comprehensive privacy legislation in the world. The EU regard privacy rights as a “fundamental” right. The territorial reach of the GDPR means that EU companies cannot transfer data to non-EU countries unless EU citizens’ privacy rights will be maintained. GDPR “travel” with the personal data.
While each EU member has to adopt and enforce the GDPR with limited scope for national changes, the US framework is more splintered. There is no Federal Privacy Law. The Federal Trade Commissioner (FTC), Noah Phillips, has said the U.S. needs a federal privacy law. So while states such as California have privacy legislation, others do not. The Californian Privacy Act became law on 1 January 2020 and is the most comprehensive: citizens can ask for their data to be deleted but the act does not require businesses to risk assess their entire data processing modus operandi. Those states which do not have privacy rules argue that the US Bill of Rights is sufficient.
There are cultural issues in play. Some have concluded that in the US the expectation is that once a citizen has disclosed his data, his rights fall away and the recipient can maximise that asset. Bear in mind that the GDPR was dismissed by many on the West Coast as another example of the EU regulating while the US innovates.
When the privacy shield was invalidated by the courts, both the European Data Protection Supervisor and the EDPB issued statements that the United States should now introduce a comprehensive data protection and privacy legal framework essentially equivalent to the GDPR.
Where are we after Schrems 2?
The privacy shield (and its predecessor the safe harbor); both formal agreements agreed by the UFTC and the predecessor of the EDPB, were unpicked by the same individual and the detail of the processes EU data controllers must follow to transfer personal data to the US is beyond the scope of this article.
The privacy shield allowed US companies to register with the US FTC so any EU company could proceed with comfort as to the bona fides of the recipient and had no need to conduct due diligence. This process was declared invalid. The data transfers will have to follow other processes in the GDPR – the standard contractual clauses and conducting a risk assessment on the credentials of the recipient. As of now, despite these compromises, the US is now in the same position as a lot of other countries.
Where does this leave post-Brexit UK?
The UK has committed to follow the GDPR and other EU derived privacy laws in order to become the 14th “adequate” country. If the UK cannot quickly achieve that status, then while the UK is happy for transfers to EU; the EU will not reciprocate. For EU companies transferring personal data to the UK next year this will require the same bureaucracy as transfers to the US entail. We will no doubt see UK companies setting up in the EU to avoid losing this business from the EU.
Although some in this Government have questioned the merit of securing an adequacy decision from the EU – a decision made by their predecessors, we have to assume that the cost benefit analysis remains unaltered. If the UK was to take a different approach to the EDPB regarding the US’s “privacy set up”, this could jeopardise the coveted “adequacy” decision. For these reasons this article assumes that the UK will follow the EU’s stance on transfers to the US and will act as if it was still an EU member.
Any optimism that the incoming Biden administration will lead to a more flexible EU/UK transfer of data is likely to be misplaced. While to many this may appear a squabble over an esoteric concern and to others is the EU exercising its geo-political might, this issue is born of deep rooted cultural and constitutional differences between the EU and US. Furthermore, US national security law — which provides American agencies far-reaching means to collect data on non-US citizens will continue to be an issue. Put simply, these US laws challenge the supremacy of the GDPR which the European institutions were protecting with the two Schrems decisions. Even if the Biden administration makes progress with EU leaders in bilateral trade talks dealing with this issue, the reality is that the EDPB would make the decision and this body is independent of the EU institutions and the political leaders of the leading EU member states.
The only way for this impasse to be broken is for the US to introduce a Federal Privacy law. There are a number of reasons why that may not be politically palatable, but even if sentiment has changed such a law would have to navigate the US Congress. Bear in mind that even with a consensus in favour of GDPR the GDPR took five years to be approved by the EU. It is harder to implement comprehensive reform in the US even where there is a consensus behind it. Standard Contractual Rules and due diligence on US companies are here to stay.
About the Author
Alexander Egerton, Partner at Seddons, is an experienced commercial lawyer who acts for small and medium sized enterprises, trade associations, professional firms and entrepreneurs. Working proactively with the founders of start-ups and helps them grow their businesses, he is able to share his expertise in data protection law; “e-commerce” law, intellectual property law and contract law. Alexander has a lot of experience in advising founders regarding implementing share options schemes and helping businesses prepare for (and then managing the process) further investment rounds. He is often approached by entrepreneurs asking him to work with them as they embark on their post exit projects.