What impact will the new EU-US data transfers mechanism have on the UK?
According to the US Department of Commerce Privacy Shield Director, Alex Greenstein, negotiators from the European Union and the United States of American are said to be on the “the home stretch” in terms of finalising a personal data transfer mechanism akin to adequacy between the two regions, with an announcement possible as early as spring this year.
Data transfers between the EU and the US
While speaking at a conference recently, Mr Greenstein’s assurance of a simpler transfer mechanism is likely to be welcome news to many American and EU businesses that have faced difficulty when undertaking EU-US transfers since Privacy Shield became invalid in 2020.
The deal has historically faced several sticking points – U.S. surveillance statues and procedures and technology development regulation to name a few. However, this latest update seems to create optimism for a more practical transfer mechanism that moves away from the existing valid mechanisms being standard contractual clauses (either the ‘new’ modular form clauses or, for a limited time, the ‘old’ form clauses) or binding corporate rules to make the transfer ‘lawful’. These have proven to be problematic for businesses and accused of being difficult to implement in practice.
What impact will it have on the UK?
Following the UK’s departure from the European Union, the decision would not have direct effect on UK to US transfers, as the UK is responsible for making its own determinations of adequacy and implementing its own mechanisms for international transfer.
To date, we have maintained use of the ‘old’ form EU SCCs to get us through the transition period post-Brexit, but change is on the almost immediate horizon.
In a purposeful move away from the EU SCCs, Parliament is currently reviewing proposals to replace these with an “International Data Transfer Agreement” (IDTA). The IDTA is said to be more “user-friendly” and “supportive of the UK’s digital economy”. Providing no objections are raised, the new rules could take effect from 21st March this year, with their use becoming mandatory for transfers occurring after 21st March 2024.
It remains to be seen whether an EU-US mechanism for data transfers would influence the UK’s approach to adequacy going forward. However, an indisputable fact is that the legal landscape for data transfers involving UK-based businesses will be changing. We suggest that you review your existing/pipeline contracts and note any long-term commitments that will continue beyond March 2024 (for example, processing agreements or addendums which refer only to use of SCCs).
We can provide tailored guidance and practical advice on all aspects of international and domestic data transfers, including the use of the new IDTAs and any further changes to law that may be on the horizon.
Please contact our data protection team if you have any questions.