Max Schrems, the founder of NOYB—European Center for Digital Rights, based in Vienna, keeps challenging data privacy regulations. For years, the Austrian data privacy advocate has made it his mission to push data privacy laws to be stricter. Thanks to him, the mechanism for easy transfer of data between Europe and the U.S has gone through a few iterations. The third and current version, called the Data Privacy Framework (DPF) for Europe and the U.K.-U.S. Data Bridge for the U.K., just went into effect in 2023.
“The EU/U.K. has a very dim view of the U.S. system of privacy, and so in order to legally transfer data from the EU/U.K. to the U.S., there needs to be a legal transfer mechanism in place that imposes data protection protocols on the recipient,” said Kwabena Appenteng, an attorney with Littler in Chicago.
Previous Mechanisms
At first, companies could depend on standard contractual clauses to cover data transfer between the U.S. and the U.K. These standard contracts would spell out the protocols that companies agreed to implement while storing and transferring data. Or, companies could enter into their own binding corporate rules and submit those to the data protection authority.
The next iteration of data protection was the safe harbor.
“The safe harbor was a mechanism created by the U.S. government, specifically the Department of Commerce and the EU Commission, that essentially said businesses in the U.S. can certify to handle any personal data they receive from the EU, in accordance with a set of protocols, which we will set forth,” Appenteng said. When that was struck down, “subsequently, the Privacy Shield was put in place, which was the next iteration of the safe harbor.”
However, in 2020, the Privacy Shield was struck down in the Court of Justice of the European Union in the case Schrems II.
“Brexit added further complications, as organizations that wanted to transfer data from the U.K. to the U.S. were required to put in place U.K.-specific transfer mechanisms,” said Helen Yost, an attorney with Reynolds Porter Chamberlain in London. “This most often took the form of the U.K. standard contractual clauses, with the accompanying obligation to carry out U.K. transfer risk assessments.”
“What [Schrems] said was that the standard contractual clauses that were being used at the time—and also the Privacy Shield—did not offer sufficient protection to the data of EU residents; it led to both being invalidated,” Appenteng said. “So, the standard contractual clauses that are now in place are much more onerous.”
Most Recent Data Protection: The DPF
Finally, in July 2023, the DPF went into effect, followed in October by the U.K.-specific (but otherwise identical) U.K.-U.S. Data Bridge. The DPF and Data Bridge have the same fundamental concepts as the Privacy Shield, with tweaks based on the Court of Justice of the European Union’s ruling that are designed to close gaps in the previous iteration. Companies no longer have to institute strict standard contractual clauses.
“The good news is that many U.S. businesses don’t need to certify [under the DPF and Data Bridge],” Appenteng said. “They're going to be grandfathered in if they’ve maintained their Privacy Shield certification.”
The DPF and the Data Bridge add new rights about transferred personal data and the means to seek redress related to the use of that data. “These redress mechanisms include the newly created Data Protection Review Court, which can investigate complaints and make binding rulings,” Yost said.
“This is all designed to provide assurance to individuals and to regulators that the way in which personal data that is received by DPF member companies, the protections given to that data, will be seen as being adequate,” said Kate Brimsted, an attorney with Bryan Cave Leighton Paisner in London.
Under the DPF and the Data Bridge, employers must keep employees informed about the transfer of their data out of the U.K., including why any transfers are occurring, Brimsted said.
The benefits of the Data Bridge are clear for companies. “If you’re in the EU or you’re in the U.K. and you want to transfer data to a U.S. vendor, and that U.S. vendor’s listed [as part of the DPF or the Data Bridge], it gives you the ability to transfer that data without undergoing the onerous process that now has to be satisfied with the new standard contractual clauses,” Appenteng said.
Watch Out for Legal Challenges
However, companies would be wise to not depend solely on the Data Bridge yet, because a legal challenge from Schrems is again expected.
So, the DPF and Data Bridge “shouldn’t be looked at as a long-term solution,” Appenteng said. “Companies will be well served by also ensuring that they have standard contractual clauses. They don’t necessarily need to implement them now, but then they’re in a position to implement them in the future.”
The challenge is likely to be to the DPF, and it’s unclear whether the potential end of the DPF would also be the end of the Data Bridge. “I think that’s one of those elephant-in-the-room questions. I would presume that it will be quite difficult for U.K./U.S. transfers to rely on the Data Bridge if the Data Privacy Framework has itself been invalidated,” Brimsted said.
Whether or not the DPF and the U.K.-U.S. Data Bridge stand, it will be wise for companies to have backup methods in place for U.K.-U.S. data transfer until the mechanism is held up in court.
Katie Nadworny is a freelance writer in Istanbul.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.