Written by Sean Hogle
On March 25, the U.S. and European Union (EU) reached an agreement in principle to return to a free flow of data between the two regions. The newly agreed Trans-Atlantic Data Privacy Framework for GDPR-compliant transfers of EU personal data to the United States is designed to overhaul the previous Privacy Shield agreement, which was ruled inadequate in the Schrems II case by the Court of Justice of the European Union (EJC) in 2020. This was primarily due to worries that U.S. law enforcement agencies could access data transferred from the EU to the U.S.
With this ruling, transferring personal data from the EU to the U.S. has become far more complex, with organizations having to use alternative mechanisms like standard contractual clauses.
A fact sheet from the White House, issued on March 25, established the headline terms of the agreement. Under the Trans-Atlantic Data Privacy Framework, the United States has made unprecedented commitments to:
- Strengthen the privacy and civil liberties safeguards governing the U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
For example, the new Framework ensures that:
- Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties;
- EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
- US. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
In a statement, Ursula von der Leyen, President of the European Commission, said:
“I am very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties. I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past months to find a balanced and effective solution. This is another step in strengthening our partnership. We manage to balance security and the right to privacy and data protection.”
President Biden added that the agreement will “once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships.”
The devil is in the details
So far, the commentary is light on details about how the new privacy shield framework will work and how it will address the issues identified in the Schrems II judgment. There is a high likelihood that when the deal is officially agreed upon, it will be challenged in the courts by privacy campaigners.
The language of the White House fact sheet suggests some areas likely to attract scrutiny once the full details are available. Specifically:
- The degree of impact on individual data subjects will be considered acceptable, and in what situations? The Biden administration is not promising to refrain from using signals intelligence and electronic surveillance. It is promising that intelligence activity will be limited to “legitimate national security interests” and that the impact on individuals will not be “disproportionate.”
Max Schrems, the privacy lawyer and campaigner who brought the case that led to the Privacy Shield being invalidated, tweeted:
“Seems we do another #PrivacyShield, especially in one respect: Politics over law and fundamental rights. This failed twice before. What we hear is another “patchwork” approach but no substantial reform on the U.S. side. Let’s wait for a text, but my first bet is it will fail again.”
Where do we go from here?
Given that the Biden administration and EU Commission chose the President’s high-profile visit to Poland to announce the agreement in principle, they likely have a high level of confidence that the new framework will be successful.
The approval of the framework only requires an Executive Order from the President. The EU Commission process is more involved, requiring that they follow the procedures and consultation requirements under GDPR Article 45:
- A proposal from the European Commission
- An opinion of the European Data Protection Board
- An approval from representatives of EU member states
- Adoption of the decision by the European Commission.
That process could take many months, providing plenty of opportunities for challenge and debate. As the process continues, we will keep you up to date on the developments. In the meantime, If you need help or have any questions, please call us on +1 212 545 8022 or click here to learn more about our capabilities.