Skip to main content

Schrems II resolved? Unpacking the EU-US Trans-Atlantic Data Privacy Framework

|

The United States and the European Commission have agreed in principle to a new Trans-Atlantic Data Privacy Framework (the ‘Framework’) to foster EU-US data flows and address the concerns raised by the Court of Justice of the European Union (‘CJEU’) in the now infamous Schrems II decision. This is highly welcomed by businesses on both sides of the Atlantic, with continued data flows between the two regions underpinning €900 billion in cross-border commerce each year.

Invalidation of the Privacy Shield

In July 2020, the CJEU invalidated the EU-US Privacy Shield framework in a preliminary hearing for the Schrems II case, where privacy activist Maximillian Schrems was pursuing Facebook in Ireland over their personal data transfers to the US.

The Privacy Shield was the safeguard mechanism for personal data transfers from the EEA to the US, whereby a US company certified under the framework was allowed to receive EEA personal data without having to rely on another mechanism under Chapter 5 of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), such as entering into the Standard Contractual Clauses.

Eventually, after having only been in existence for four years, the regime was invalidated due to the wide data capture powers allowed under US national security legislation, namely Section 702 of the Foreign Intelligence Surveillance Act (known as FISA) and Executive Order 12333, contradicting Europe’s notion of fundamental rights under the EU Charter of Fundamental Rights (‘EU Charter’), and as a result, the GDPR.

It was also held that framework did not provide for sufficient mechanisms to reconcile this conflict between US surveillance laws and EU privacy laws. Importantly, the Ombudsman mechanism in place in the US was deemed to not be of “essential equivalence” with the mechanisms afforded under the GDPR and the EU Charter.

 

The New Trans-Atlantic Data Privacy Framework

Now, after a year of detailed negotiations between the US and the European Commission, led by the Commissioner for Justice Didier Reynders and the US Secretary of Commerce Gina Raimondo, the two sides have come to an agreement in principle on the Framework.

Necessary and proportionate signals intelligence collection:

Under the Framework, the US will put in place new safeguards to ensure that signals surveillance activities will meet the requirements of being necessary and proportionate in the pursuit of defined national security objectives. Such processing of EEA personal data must not disproportionately impact the protection of individual privacy and civil liberties, bringing the US regime more in line with that of the EU.

Two-tier redress mechanism:

The US will also establish a two-tier independent redress mechanism with binding authority to direct remedial measures. This is in direct response to the concerns of the CJEU over the Ombudsman mechanism and its lack of equivalence to the right of effective remedy before a tribunal provided by Article 47 of the EU Charter.

This two-tier redress system will include the creation of an independent Data Protection Review Court (the ‘Court’), with the aim of investigating and resolving complaints by EU residents of access of their personal data by US intelligence authorities. This Court will consist of individuals chosen from outside of the US Government who will have full authority to adjudicate claims and direct remedial measures as required.

Intelligence agencies to adopt new procedures

Finally, the US will also commit to enhancing rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.

However, the requirement for companies to self-certify their adherence to principles through the US Department of Commerce, as per the previous Privacy Shield regime, will continue.

 

Will this be adequate in light of the Schrems II decision?

In its fact sheet announcing the agreement in principle, the Biden administration stated that there are more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion US-EU economic relationship. The disruption caused by the Schrems II outcome has indeed taken a toll on this relationship in terms of personal data transfers.

Companies in both the US and the EU know this all too well, having spent nearly two years relying on alternative transfer mechanisms, such as the Standard Contractual Clauses, which has more recently included the requirement of conducting transfer impact assessments.

Therefore, the announcement of this agreement in principle is very much welcomed by such companies. However, it has also been met with scepticism by some members of the privacy community.

Critics argue that the chink in the armour of the new Framework will be the fact that the new measures shall be implemented by way of an Executive Order (which are directives from the President of the US) as opposed to through the passing of primary legislation by the US Congress.

This could pose an issue in particular for the operation of the new redress mechanism (namely, the Court), its independence from the US Executive and the enforceability of its remedies against US intelligence authorities, who have their surveillance rights embedded in federal primary law.

However, time will tell if this new Framework meets the standards required under the GDPR, if (or when) the new regime is put in front of the CJEU.

For the time being, this agreement in principle still needs to be translated into legal documentation, which includes the drafting of an Executive Order on the US side that will form the basis of the draft adequacy decision by the European Commission.

Sources: FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework

European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework

 

Article provided by INPLP members: Anthi Pesmazoglou and Komal Shemar (Gerrish Legal SARL, France)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}