A new framework for the flow of personal data between the EU and US has moved a step closer. For UK firms it’s an important development because it will increase the likelihood of the UK and US reaching a separate agreement to facilitate the free flow of personal data from the UK to the US.
On March 25, 2022, the US President, Joe Biden, and European Commission President Ursula von der Leyen announced that the United States and European Commission have agreed in principle to a Trans-Atlantic Data Privacy Framework. It aims to address deficiencies identified by the European Court of Justice in a case in 2020 called Schrems. The Schrems ruling immediately invalidated the Privacy Shield, stripping the ability of companies to transfer data under this framework. Commercially that’s a problem that needs fixing because Trans-Atlantic data flows between the US and EU account for over $1 trillion in cross-border commerce each year.
The effect of Schrems was to strip away the ability of companies to transfer data under this framework. To compensate, many firms have imple mented EU-approved standard contractual clauses – ‘SCCs. Back in March, shortly after the joint press statement, we flagged this issue in an Outlaw article called ‘New framework for EU-US data flows moves closer’ which carries the message - don’t wait for the new Privacy Shield because it may be many months away and, in the meantime, continue to rely on SCCs, and other transfer mechanisms, to ensure compliance with the GDPR.
So, what does the prospect of a new Framework mean for HR professionals on this side of the Atlantic and in what context might this arise? A good example is artificial intelligence – the purchase of AI systems from the US which are implemented within UK businesses. Back in March data specialist Aisleen Pugh flagged many of the issues in her Outlaw article: ‘Artificial intelligence in the workplace: implications for HR professionals’. I asked Aisleen for her reaction to the news about the Framework:
Aisleen Pugh: “So it's good news for international organisations, who are perhaps headquartered in the US or have us subsidiaries, because it will provide a mechanism for easier data flows between international business subsidiaries. So HR should certainly be aware of that development, because it's important, but it's likely that many organisations will already have other mechanisms for international data transfer within their business, but this does allow for another lawful method for data transfer.”
Joe Glavina: “What’s your message to HR on buying new AI technologies from abroad?”
Aisleen Pugh: “So another thing that HR professionals should be alive to in the implementation of AI systems in their businesses, is the fact that a lot of these systems are designed and developed in other jurisdictions, particularly the United States and, of course, a different data protection regime applies in the United States, it tends to be less stringent than the one that's applied here in England and Wales and so HR need to be alive to that insofar as the design and development of the systems is based on a different data protection regime, where different considerations apply in the appropriate and reasonable lawful use of personal data.’
Joe Glavina: “So what should HR be doing if the business is buying AI from the US?”
Aisleen Pugh: “So, I think principally understanding at the procurement stage what it is that the system does, how it's designed, how it produces its output, that's going to be absolutely key. I think then, in addition, asking questions around how the system is designed to mitigate potential risks from a data protection perspective.”
Joe Glavina: “So, finally, your advice to HR?”
Aisleen Pugh: “Yes, so this is a particularly specialist area and there are lots of legal considerations as to how to achieve lawful international data transfers. So, really something just for HR to be aware of, if you do have us subsidiaries, and something to take further advice on if you are thinking about data flow between your US subsidiaries and your UK or EU subsidiaries.”
Aisleen has written in detail about AI in the workplace and the importance of HR understanding how the technology works and its impact on decision-making. That is: ‘Artificial intelligence in the workplace: implications for HR professionals’ and it is available from the Outlaw website.