Since July 2020, organisations exporting personal data from the EEA (and the UK, following Brexit) to the United States have faced challenges created by the ruling of the Court of Justice of the European Union (CJEU) in “Schrems II”. 

In response to actions brought by lead litigant Max Schrems, the CJEU ruled the previous EU-US Privacy Shield cross-border transfer mechanism to be invalid and mandated further scrutiny over exports of personal data from the EEA more generally. The CJEU’s concerns principally related to the potential access of personal data subject to the GDPR by authorities in the United States. Organisations that relied on the Privacy Shield have generally adapted to the ruling by introducing alternative crossborder transfer mechanisms, such as standard contractual clauses, and completing data transfer impact assessments.  

In March 2022, the European Commission and authorities in the United States announced an agreement in principle for a new Transatlantic Data Privacy Framework (the Framework). While the Framework remains a political agreement, it is intended to permit the free flow of personal data from the EEA to the United States without further safeguards where certain conditions are met. 

The principles for the Framework include a new set of rules around limiting US authority access to personal data and a revised redress system to investigate data subject complaints

The proposal for the Framework has been met with a mixed response from authorities and privacy campaigners. The European Data Protection Board has announced an intention to scrutinise any development of a legal framework based on the political agreement. 

As may be expected, None of Your Business (NOYB), the campaigning organisation run by Max Schrems, published an open letter on 23 May 2022 setting out a number of concerns with the proposed Framework. These include the need for a correct proportionality test under the US law and a reliance on readopting Privacy Shield principles (which have already been held not to comply with the GDPR). NOYB threatens litigation through the CJEU if these concerns are not remedied, opening the door for a possible “Schrems III” legal action. 

More information about the Framework can be found here.

NOYB’s letter can be found here.