The question

Are we any nearer to a new transatlantic data privacy framework?

The key takeaway

Progress has been made on a transatlantic data privacy framework, providing hope for greater commercial certainty and safeguards for entities processing international data flows.

The background

On 25 March 2022, after a year of “detailed negotiations”, the European Commission and the United States announced reaching an “in principle” agreement on a new Trans-Atlantic Data Privacy Framework (TADPF). The TADPF will replace the EU-US Privacy Shield which was rejected in July 2020 by the Court of Justice of the European Union (CJEU) in its Schrems II decision.

The CJEU, in Schrems II held that the Privacy Shield was invalid for two main reasons:

  • US national security surveillance programmed were still not restricted by the principle of proportionality. US authorities could still access and use the personal data transferred under the EU-US Privacy Shield for purposes which went beyond what is strictly necessary and proportionate to the purpose of national security.
  • The redress available to EU data subjects via the Privacy Shield’s Ombudsperson mechanism did not provide “essentially equivalent” administrative and judicial redress, comparable to EU law.

The development

For EU individuals, the new TADPF deal will include higher standards commitments to protect their personal data. The US has also agreed to put in place new safeguards to ensure that signals surveillance activities are only “necessary and proportionate” in the pursuit of defined national security objectives. In addressing the problem of redress, a new two-level independent redress mechanism with binding authority to direct remedial measures has also been introduced. Lastly, rigorous, and layered oversight of signals intelligence activities are now necessary to assist with compliance with limitations.

Changes to the redress mechanism include a new US Data Protection Review Court that would consist of individuals chosen from outside the US government who would have full authority to adjudicate claims and direct remedial measures as needed. US intelligence agencies will also be able to adopt procedures to ensure effective oversight of the new privacy and civil liberties standards.

Why is this important?

There is a targeted commercial effort to remove barriers to transatlantic data flows. The newly agreed TADPF should significantly improve the current position by enabling a flow of data that underpins over $1trillion worth of cross-border e-commerce. Though sceptics like Max Schrems remain suspicious about the proportionality reassurances from the US, this is hopefully a step in the right direction.

An iterative process has now commenced where the US government along with the European Commission will work on translating the deal into legal documents that can be adopted on both sides. The current expectation is that the work undertaken in respect of the new TADPF can be leveraged and applied to other transfer regimes, including in the UK and Switzerland.

Any practical tips?

We’ve been here twice before with the (both invalidated) US-EU Safe Harbor Framework and the EU-US Privacy Shield, so perhaps the best practical tip is not to hold your breath – the new system will almost inevitably attract similar legal challenges.