The European Union has announced an ‘agreement in principle’ with the United States on a new data transfer framework, intended to replace the Privacy Shield framework that was struck down in 2020.
What happened previously?
On 16 July 2020, the Court of Justice of the European Union (“CJEU”) declared the EU-US Privacy Shield Agreement invalid as it did not provide the adequate protection required for the General Data Protection Regulation (“GDPR”) when transferring personal data from the EU to the US. This decision was reported in our last update and had major implications for the way large US tech companies collect data from EU citizens.
Nearly two years later, on 25 March 2022, the EU and US announced that they had reached an “agreement in principle” on a Privacy Shield replacement. The White House and the European Commission each issued fact sheets of the Trans-Atlantic Data Privacy Framework (“TADPF”), providing detail on the intent of the agreement but the legal specifics are not clear. It remains to be seen if the TADPF will face a similar legal challenge.
This is undoubtedly welcomed news, especially by Facebook/Meta, Google and other companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision and had been forced to fall back on the imperfect standard contractual clauses (“SCC”). The original Privacy Shield was the replacement for Safe Harbour, an earlier EU-US data pact that was invalidated by the CJEU in 2015 due to the same clashes between EU privacy rights and US surveillance laws. It will be interesting to see whether the TADPF can withstand the scrutiny of the courts, as well as privacy campaigners that triggered the downfall of the previous two regimes.
What does the TADPF provide?
Under the proposed TADPF, the US has made commitments to:
- Strengthen the safeguards governing US signals intelligence activities;
- Establish a two-tier redress system that includes an independent Data Protection Review Court composed of individuals from outside the US Government to investigate and resolve complaints; and
- Enhance existing rigorous and layered oversight with US intelligence agencies adopting procedures to ensure effective oversight of new privacy and civil liberties standards.
What are the chances this framework will succeed?
Organisations that rely on Trans-Atlantic data flows hope this will be third time lucky, and that the TADPF will allow for seamless transfers of personal data from the EU to the US without any amendments to US surveillance laws.
Max Schrems, a well-known privacy activist who initiated the legal cases that resulted in both the Schrems I and Schrems II decisions has issued a statement in response to the news of the agreement, indicating that he saw this as another iteration of Privacy Shield and a “patchwork” approach that will not hold up, but also that he would “wait and see” what the details of the agreement are. A statement issued through his privacy group, Noyb, stressed that he would challenge the TADPF if it is not in line with EU law.
It is difficult to evaluate the TADPF’s chances of survival given the track record and the lack of information provided at present. It appears that the agreement in principle is going full speed ahead, however the new deal will ultimately be scrutinised by the CJEU again.
What happens next?
The agreement in principle will now be translated into legal documents. The US commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put in place the new TADPF. Once the TADPF becomes effective, it will only apply to data transfers from EU/EEA countries to the US. Data transfers from the UK and Switzerland will need to comply with the UK International Data Transfer Agreement (“IDTA”), its version of the Transfer Impact Assessment (“TIA”) and Transfer Risk Assessment (“TRA”), or the UK addendum to the SCCs. It is currently unclear whether the UK or Switzerland will adopt the TADPF to permit data transfers to the US from their respective countries. As data flows become increasingly important to international trade, strengthening privacy and security safeguards in the public and private sectors are an economic and geopolitical imperative for both sides of the pond.