Anna Flanagan and Kathryn Wynn, who specialise in data protection law at Pinsent Masons, were commenting after the US Supreme Court ruled (108-page / 495KB PDF) that “subordinates” exercising the US president’s power are “subject to removal” by the president. The ruling came in a case in which a former commissioner at the Federal Trade Commission (FTC), Rebecca Slaughter, had challenged US president Donald Trump’s decision to fire her.
The decision has sparked discussion over whether EU-US data transfers will continue to be lawful. The transfer of personal data from the EU to the US is an everyday feature of many companies’ global operations and supply arrangements. The discussion has arisen because of questions the US ruling raises about the independence of the FTC and other US authorities.
EU data protection laws place restrictions on the transfer of personal data outside of the European Economic Area (EEA). However, the law provides for a variety of mechanisms to be used to enable lawful data transfers.
One such tool is a European Commission ‘adequacy decision’. These are decisions that formally recognise the Commission’s view that personal data transferred to a non-EEA jurisdiction is subject to data protection standards that are ‘essentially equivalent’ to those in force in the EU. Businesses can rely on such adequacy decisions as providing a lawful basis for their data transfers to the relevant jurisdiction, under the EU’s data protection framework.
One adequacy decision currently in force concerns EU-US data transfers. It effectively endorses the arrangements contained in the EU-US Data Privacy Framework (DPF), which is a set of agreements and commitments the EU and US negotiated that are designed to underpin EU-US data transfers and meet the ‘essentially equivalent’ standard.
The DPF applies only where the US recipient is certified as a DPF participant. All other transfers to the US require a full transfer risk assessment and an “appropriate safeguard” under article 46 of the EU GDPR, most commonly being standard contractual clauses (SCCs) and supplementary measures such as encryption for security. For UK-US data transfers, the UK has adopted a separate UK extension to the EU-US DPF, which enables transfers from the UK to US organisations that are certified under the DPF and have opted into the UK extension.
Under the DPF, the FTC has been designated by the US government as an enforcement body. This means it is responsible, among other things, for taking action if FTC-regulated US companies that have self-certified their compliance against privacy principles contained within the DPF are not meeting those standards.
Following the ruling in the Slaughter case earlier this week, noyb, the privacy group headed by Max Schrems, highlighted how the independence of the FTC and other US authorities is supposed to be guaranteed under the DPF. It said the US Supreme Court judgment brings that into question and has called on the European Commission to withdraw its adequacy decision relating to the DPF as a result.
Anna Flanagan of Pinsent Masons said: “The ruling in the Slaughter case doesn’t upend the DPF but it may deepen concerns in Europe that key safeguards, particularly the independence of enforcement bodies, are less stable than assumed, making contingency planning for EU–US transfers increasingly important.”
The DPF is the latest in a series of data protection arrangements the EU and US have negotiated to try to facilitate EU-US data transfers. Earlier frameworks, the EU-US Safe Harbor and the Privacy Shield, were both effectively invalidated by the EU’s highest court following legal challenges fronted by Schrems. Last year, the DPF survived a legal challenge brought by French citizen Philippe Latombe, though that ruling is the subject of an appeal.
Kathryn Wynn of Pinsent Masons said that while the rulings in the three cases concerned the specific EU-US data transfer frameworks in place at the time, they are also relevant to data transfer arrangements reliant on other legal tools provided for in the EU – like SCCs – and not only for data transfers to the US either.
The case law established by the EU courts makes clear that businesses wishing to transfer personal data from the EU to a so-called ‘third’ country outside of the EEA must carry out a data transfer impact assessment.
Wynn said: “Many organisations have long been aware of the fragility of the DPF. As a result, they have opted to rely instead on the EU SCCs and, in the UK, the EU SCCs together with the UK Addendum or the ICO’s International Data Transfer Agreement when transferring personal data to the US. For those organisations, the US Supreme Court’s ruling does not suddenly undermine the validity of the transfer mechanism on which their data exports rely. However, organisations that have not relied on the DPF should not assume that no action is required. They should consider whether the judgment affects the transfer risk assessments underpinning their existing transfer arrangements.”
“Businesses should revisit the assessments they will have made about the US as part of their overall data transfer risk assessments and, importantly, consider whether the supplemental measures currently in place remain adequate or need to be enhanced,” she said.
“For indirect transfers of personal data, where a vendor bears responsibility for ensuring that the international transfer complies with applicable data protection laws and, accordingly, for completing the data transfer risk assessment, we strongly recommend that organisations request updated data transfer risk assessments from those vendors and seek confirmation that the overall data transfer risk assessment remains valid,” Wynn added.