International Data Transfers: Overview of The Proposed UK-US Data Bridge & the Recent Decision Saga

As always, the world of data protection continues to develop at a rapid pace. In this article, we report on two major recent developments. Firstly, the recent development of the proposed UK-US data bridge, which is the UK’s response to the existing gap in UK-US data flows and could remove significant barriers to UK businesses. The second piece concerns the recent decision against Meta Ireland, also primarily concerned with international data transfers, and serves as a strong reminder for all organisations of the importance of complying with transfer rules. At the end of the article, we also briefly explore what UK organisations should be taking into consideration in order to comply with international data transfer rules under the Data Protection Act 2018 (UK GDPR).

UK-US Data bridge

On 8 June 2023, the UK and the US issued a joint statement about committing in principle to establish a UK-US data bridge. The bridge will be a UK extension to the Transatlantic Data Privacy Framework between the EU and US, which is currently being reviewed by the EU institutions (more on this framework here). If adopted, it would mean that data can flow freely between the UK and US, removing any need to put in place appropriate safeguards (for example, the International Data Transfer Agreement issued by the ICO).

The adoption will, of course, be preceded by an assessment of the US data protection laws and practices, in particular, the effects of Executive Order 14086  and associated regulations. However, as also mentioned in the statement, the UK-US data bridge will be an ‘extension’ to the EU-US Data Privacy Framework, which means that UK organisations should not expect anything to materialise in this respect until and unless the EU adopts an adequacy decision.

Irish Data Protection Commissioner (DPC) Imposes A €1.2bn Fine on Meta Ireland

On 22 May 2023, a record-shattering GDPR fine of €1.2 billion was issued against Meta Ireland (Meta), surpassing the previous record held by Amazon with a €746 million penalty. The fine, which was much anticipated and imposed by the DPC, followed a binding decision issued by the European Data Protection Board (EDPB) earlier in April of this year. The recent decision is a cautionary example for many organisations, and almost strangely coincidental in that it came to light only a few days before GDPR, a privacy regulation that continues to set the global standard, celebrated its 5-year anniversary.

Context

‘We are happy to see this decision after ten years of litigation,’ Max Schrems notes in the article on NOYB reporting on the fine. Here, in a sentence, is implied the political history that preceded, and arguably led to, the current decision.

As you might recall, a decisive rupture in EU-US data flows appeared at the time of Snowden revelations, which brought to light US intelligence activities. This inspired Max Schrems (who was a law student at the time) to challenge the lawfulness of Facebook’s personal data transfers to the US. In the ten years that followed the disclosures, we saw the two EU-US data-flow frameworks invalidated by the Court of Justice of the European Union (CJEU)—the Safe Harbour in 2015 and the Privacy Shield in 2020 (these court decisions are more commonly known as Schrems I and Schrems II respectively). After multi-year negotiations, we’re on the cusp of another EU-US framework—more on that below.

Overview

The binding decision made four key findings:

  1. US law does not provide a level of protection that is essentially equivalent to that provided by EU law;  
  2. Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law;   
  3. Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law; and,  
  4. It is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR, when making the data transfers.


Schrems II is particularly relevant to this case as it made important clarifications with respect to the international data transfer mechanisms under GDPR. The key misgivings of the CJEU with respect to the US data transfers were the absence of necessity and proportionality limitations in the country as well as a lack of an effective judicial redress mechanism for data subjects. The first finding is thus an expected one as the absence of essential equivalence was the foundation for the court’s judgment.

Before Schrems II, in the absence of an adequacy decision organisations would typically rely on Article 46 safeguards to justify their international data transfers (e.g., standard contractual clauses (‘SCCs’)), noting that previously, organisations relied on the 2010 SCCs, which were updated in 2021 (the deadline for transitioning to the updated SCCs expired on 27 December 2022). The recent decision touched on both sets of tools and found that neither the 2010 nor 2021 SCCs can compensate for the deficiencies in the protections provided by US law.

The above finding echoes Schrems II where the court stated that, while valid tools, reliance solely on SCCs is insufficient to safeguard personal data and case-by-case assessments are necessary. This brings us to the point of transfer impact assessments (‘TIAs’) or transfer risk assessments (‘TRAs’) as they are referred to across the English Channel. The TIAs are additional tools that, in the CJEU’s view, must accompany safeguards set out in Article 46 of GDPR, which include SCCs. In essence, the TIAs require organisations to carry out case-by-case assessments of transfer scenarios thoroughly to understand the associated risks and, where necessary, to implement supplementary measures. These can take many forms, from contractual to organisational and technical measures (e.g., encryption). Depending on the facts, the use of transfer tools e.g., SCCs together with a TIA and, where found necessary, supplementary measures could together compensate for the inadequate protections of the target jurisdiction.  However, the DPC found that the measures implemented by Meta as part of its TIA fell short and failed to ‘compensate for the inadequate protection provided by US law’. In other words, Meta could not rely on the combination of SCCs and TIA lawfully to transfer data to the US.

Where Article 46 fails, organisations sometimes look to Article 49 of GDPR, which provides derogations to international data transfers rules. However, these are, as the name suggests, derogations and should be relied upon in strictly exceptional cases as set out in the article. Indeed, the DPC stated in its order that Meta is not entitled to rely on the derogations in Article 49(1) for its data transfers. It has been established that ‘the derogations cannot be relied upon for systematic and massive transfers and have to be strictly construed.’

In essence, the decision left Meta without any fall-back option to validate its international data transfers. The only logical next step, invariably, was for the DPC to order Meta to suspend all of its transfers, which it did. Interestingly, in the binding decision EDPB considered that ‘a suspension order alone would not be enough to produce the specific deterrence effect necessary to discourage Meta IE from continuing or committing again the same infringement.’

In light of the above, the DPC made three orders:

  1. requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months;
  2. imposing an administrative fine for the amount of €1.2 billion; and
  3. requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR within 6 months.

Transatlantic Data Privacy Framework: can it save Meta?

The decision comes at an interesting time when the new EU-US transfer framework remains a possibility, though arguably not an immediately forthcoming one. We noted the decision does not take into account the Transatlantic Data Privacy Framework (DPF) when arriving at conclusions. In short, the rationale is two-fold: first, the DPF does not yet apply to EU data subjects as the US is yet to designate the EU as ‘the qualifying state’; and second, even if the DPF were operational, the DPC noted that privacy and civil liberties safeguards were not intended to have a retrospective effect. It is noteworthy that the DPC fully reserved its position as to whether the DPF can stand against the CJEU’s robust test and provide ‘essential equivalence’ with the EU protections.

Recently, the framework drew sharp criticism from the European Parliament, which stated in the resolution of 11 May 2023 that the framework ‘fails to create essential equivalence in the level of protection’ with the EU law.

We note that as early as October last year, there were already doubts as to the framework’s longevity, owing in particular to the likelihood of a legal challenge on the basis of potential non-compliance with EU law. A need for renegotiation was echoed by others in the months that followed. In the same resolution, the European Parliament called on the European Commission ‘not to adopt the adequacy finding’ until all of their recommendations as well as those of the EDPB are ‘fully implemented’ and ‘to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence’. But new negotiations take time, and so does all the bureaucracy and paperwork involved in taking adequacy decisions in the EU.  In this light, waiting for the EU-US free flows of data to materialise any time soon may not be the most tangible course of action.

What’s next?

The broader impact of the DPC’s decision cannot be understated. As with any cautionary tale, there are lessons to be learned by those watching it unfold from afar. For certain organisations, the Meta decision may mean an immediate action to avoid being the next one to be in the crosshairs of their supervisory authorities. Whether this will have wider effects on the transatlantic data flows or disrupt the provision of online products and services currently enjoyed by EU data subjects, remains to be seen. In the meantime, the DPF continues to hang in the air: a much-needed relief for organisations on both sides of the Atlantic or, perhaps, another framework bound to fall like its predecessors. Like the DPC, at this stage we choose to reserve our thoughts on the matter.

What should UK organisations do to comply with international data transfer rules?

For most organisations, including those in the UK, the recent decision is a reminder of the importance of compliance with international data transfer rules. Below we have put together questions organisations can ask themselves to check whether they comply with these rules.

 

1. Are you carrying out an international data transfer?

If you’re unsure about whether you’re carrying out an international data transfer, consider asking yourself the following questions:

  • Does the UK GDPR apply to the processing of the personal data being transferred?
  • Are you sending personal data, or making it accessible, to a receiver located in a country outside the UK?
  • Is the receiver a separate controller or a processor and a legally distinct entity from you (i.e., not a branch)?

If you’d like to read more on what qualifies as a restricted transfer under the UK and EU regimes, take a look at this article.

 

2. If you’re carrying out an international data transfer, are you sure you are complying with the transfer rules under UK GDPR?

Personal data can be transferred to third countries through one of the routes available under the UK GDPR. Consider asking yourself the following questions:

  • Is the country or territory recognised as an adequate jurisdiction by the UK? If yes, you don’t need to take any further steps and the transfer can go ahead.
  • If the country or territory is not recognised as adequate, have you put in place the relevant transfer tool under Article 46 of UK GDPR (e.g., the UK’s International Data Transfer Agreement or a combination of the EU’s Standard Contractual Clauses and the UK Addendum)?
  • If you’re relying on a transfer tool under Article 46 of UK GDPR, have you carried out a transfer risk assessment which is a mandatory requirement? Organisations in the UK are required to carry out a transfer risk assessment, which must accompany a transfer tool. This may, in some cases, require you to implement supplementary measures (if you’d like to read more on TRAs, please see this article). Organisations whose transferred data would be exposed to the risk of surveillance or potential access orders from the governments of the importer’s jurisdictions may find that reliance on these tools may be insufficient to compensate for inadequate protections in the destination country.
  • If not, are you relying on one of the transfer tools under Article 46 of UK GDPR, can you rely one of the available exemptions under Article 49? However, organisations should remember that the exemptions can only be relied on in very limited circumstances and cannot typically be used for regular transfers.
     

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.

 

Subscribe: Data Privacy Insights

Subscribe: Data Privacy Insights

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.