Newly Formulated Contract Terms Are the Key to EU-US Data Transfers

On December 2, 2020, the European Commission and the European Union (“EU”) foreign affairs service issued a joint statement with goals for the EU’s relationship with the United States. The statement highlighted areas of shared interest including cooperation on “cybersecurity capacity building, situational awareness, and information sharing.” The countries could coordinate to combat attributed attackers from third countries. The EU groups also welcomed greater parallel action in dealing with artificial intelligence, seeing it as an opportunity to express their common “humancentric approach.” However, pertaining to privacy and data governance, the statement was clear in calling EU and American views divergent.

A recent Politico article suggests that getting a new data protection agreement between the EU and the United States is critical to repairing the transatlantic relationship. Without a legal mechanism for American entities to transfer EU personal data to the United States, companies will have to store data on their European customers in Europe, which is very costly and may be unaffordable for small and medium-sized enterprises. On July 6, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, which was an agreement between the EU and the United States that allowed data to be transferred between the two countries.

The Privacy Shield was the EU’s and the United States' replacement for an agreement called Safe Harbor. Safe Harbor allowed companies sending EU citizens’ data to the United States to be subject to EU’s privacy regulations which were enforced by the United State government. Revelations about the US NSA’s access to data led to greater scrutiny from the EU about American privacy practices. In particular, Austrian privacy activist Max Schrems challenged the Safe Harbor agreement, arguing that American surveillance made the Safe Harbor agreement invalid because it was in conflict with EU law. The CJEU agreed with Schrems and ruled that Safe Harbor did not properly protect EU data.

Despite divergent regimes for protecting personal data, the United States and the EU had previously been able to come to terms to allow data transfers between the countries. First with the Safe Harbor, which existed from 2000 until 2013, and then with the Privacy Shield which was invalidated by the CJEU in 2020. The CJEU’s repeated unwillingness to trust America’s privacy regime leads to a natural skepticism that a third deal would provide a different ending even if it is pivotal to transatlantic relations. Max Schrems has likened deals between the two countries as the United States telling Europe that its citizens have no rights.

In the same decision that invalidated the Privacy Shield, the CJEU stated that Standard Contractual Clauses (“SCCs”) remained a legal means to transfer data from the EU to countries that had not been designated as “adequate” data protection jurisdictions by the European Commission. The CJEU did caveat that there would be instances, particularly where government surveillance created risks for data subjects, that additional risk mitigation measures be put in place to supplement the SCCs.

On November 11, 2020, the European Data Protection Board (“EDPB”) evaluated the CJEU’s ruling and issued guidance. The EDPB requires businesses to evaluate whether foreign governments could access an EU data subject’s personal data, without relying on a specific entity’s history of being subject to such government access in determining that the risk was low. Since then, the European Commission has also released a new draft of the SCCs, broadened to recognize the complexities of international business relationships. The draft set of clauses permits two novel processing relationships, namely: EU-based processor to ex-EU processor, and EU-based processor to ex-EU-controller. The existing version of the SCCS addressed two data flow scenarios: an EU-based controller exporting data outside of the EU to other controllers, or to processors. The feedback period on these proposed new SCCs ends today. Barring a new agreement being executed by the EU and the United States, entities transferring EU personal data will be leaning heavily on SCCs using the aforementioned guidance.