EU-U.S. Privacy Shield, Brexit and the Future of Transatlantic Data Flows

Abstract

This report analyses the issues raised by EU-U.S. commercial data flows, including the future status of the Privacy Shield framework and standard contractual clauses (SCCs). It begins by comparing the systems of data protection in the EU and the U.S., highlighting key philosophical, legal and practical differences. The next section assesses the history of EU-U.S. data flows and the upcoming judgement in the Schrems II case. It then outlines why a clash between U.S. national security laws and mass surveillance on the one hand, and EU data protection and fundamental rights law on the other, renders all transatlantic data transfer mechanisms vulnerable, with few alternative options. The final section focuses on EU-UK data flows post-Brexit and the UK’s quest for an EU adequacy decision, highlighting the key lessons which can be learnt from the EU-U.S. case study and the challenges which lie ahead. The main argument is that the EU-UK data flows relationship will be complex and could remain unresolved for years. Policy makers, businesses and data protection officers should prepare for a rocky few years ahead, not least due to the high possibility of any adequacy decision facing concerted legal challenges. Methodology: The findings were informed by analysis of primary documents, an extensive literature review and over sixty anonymous interviews with EU, U.S. and UK politicians, civil servants, ambassadors, regulators, lawyers, business leaders, data protection officers and researchers conducted between 2018 and 2020.