How Companies Can Deal With EU–US Data Transfers While Complying With General Principles│Italy

Data transfers between the EU and the USA are grounded in the “adequacy decision” of the EU–US Data Privacy Framework. There is no shortage of critical voices; however, the storm on the horizon should not create unjustified alarmism. On the contrary, it can be an opportunity to set some targeted policy actions.

No one expected to still be navigating such a nauseating and unreasonable topic in times of ultra-fast networks, quantum computers, and AI. Nonetheless, the age-old problem of data transfers between the EU and the USA remains.

Not long after the EC adopted its long-awaited decision on the adequacy of the Data Privacy Framework for EU–US personal data transfers on 10 July 2022, the first rumours of possible attempts to request its annulment began to emerge. For those familiar with the political and legal dynamics that increasingly affect the data economy system, this will certainly come as no surprise. At the same time, this news should not be taken lightly. Here is why.

The regulation of personal data flows between the EU and the USA has always been a complex and debated issue in the world of personal data protection and circulation.

With the ECJ judgment of 16 July 2020 invalidating the Privacy Shield (the legal instrument upon which transfers of personal data between the EU and the USA were previously based), this system entered a strong and unexpected state of alarm. All actors in the data protection ecosystem were therefore faced with a highly complicated situation.

The reaction of institutions and authorities was immediate and to seek a solution to the loophole left by the “Schrems II” judgment. The political path initiated between the two shores of the Atlantic Ocean was swiftly followed by the intervention of the European Data Protection Board, which is to be credited with having provided – with crucial timing – clarifications and methodologies so as to address an unprecedented scenario. Interpreters and scholars, for their part, promptly went to work to find a theoretical and operational framework in an area where comments and reflections are particularly stimulating and extremely useful.

For companies, however, a season of great uncertainty and hesitancy has descended since the day of the ECJ ruling. The search for a new compliance balance in the absence of the regulatory parameter that had underpinned these cross-border flows for several years represented one of the most important and complicated challenges in the world of personal data protection.

This is also down to certain market dynamics, which have decisively shifted the axis of cross-border processing towards the USA in recent years. As such, Data Protection Officers (DPOs) have had to immerse themselves in a supervisory and advisory role with even greater dedication – without which, tackling such a scenario would have been much more arduous.

As the months went by, businesses’ confidence in a speedy resolution of the issue grew almost proportionally as the political negotiations progressed. Three years on, the new legal instrument for data transfers between the EU and the USA has finally been given effect and is currently undergoing the stress test of the market.

And yet, the framework has been at the centre of some critical remarks from the outset. As mentioned, it appears it will not be long before the EC’s latest adequacy decision is before the courts.

This is clearly not the place to analyse in detail the reasons that led to the invalidation of the Privacy Shield or the motivations behind the protracted vacuum period that ended in July 2022. Based on first-hand experience at the Italian Data Protection Association (Garante), the author is familiar with the complexity of this particular area of personal data protection and circulation law, which continues to reveal new nuances and impacts today.

What is important to emphasise here, however, is the need to always prioritise compliance with general principles and this must also apply when talking about cross-border processing. In this regard, legal certainty plays a key role. Indeed, whatever the political and legal solution to the data transfer dispute between the EU and the USA, the importance of preventing companies and public bodies from being deprived of clear co-ordinates to guide their choices and make informed decisions must never be overlooked.

Right now, transfers between the EU and the USA are based on the adequacy decision of the EU–US Data Privacy Framework. The stormy waters ahead should not, of course, create unwarranted concern.

However, as the end of 2023 approaches, this may be the right opportunity to set some targeted policy actions – for example, planning audits specifically focused on cross-border processing. This should be done by putting one’s own DPO at the forefront and providing them with all the necessary resources, both human and economic.