After nearly two years of detailed negotiations, on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an “agreement in principle” on a new Trans-Atlantic Data Privacy Framework (the “Framework”) to re-establish an important legal mechanism to effectuate cross-border transfers of personal data from the EU to the U.S. The Framework is hoped to address concerns raised by the decision of the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (2020) (“Schrems II”).
Background: What happened in Schrems II?
In Schrems II, the CJEU identified deficiencies in the United States’ personal data protection regime and therefore invalidated the European Commission’s decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield (the “Privacy Shield”), one of the primary mechanisms used for the cross-border transfer of personal data between the EU and the U.S. The CJEU struck down the European Commission’s Privacy Shield adequacy decision on the basis that:
(1) U.S. surveillance programs, including those promulgated under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, permit unjustifiably broad government surveillance and are not limited to that which are strictly necessary and proportionate, as required by EU law, therefore failing to meet the requirements of Article 52 of the EU Charter on Fundamental Rights (“EU Charter”); and
(2) with regard to such U.S. surveillance, EU data subjects lacked actionable judicial redress, leaving them without a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.
Although the CJEU found that the use of Standard Contractual Clauses (“SCCs”) to transfer personal data to controllers or processors outside of the EU remained valid, the court noted that entities relying on SCCs still need to undertake case-by-case “assessments” as required by Article 46(1) of the EU GDPR to determine whether the laws in the recipient country ensures an adequate level of protection to safeguard the personal data of EU individuals.
The Schrems II decision has made it increasingly difficult for businesses transferring EU personal data to the U.S., leading many companies to consider suspending operations in Europe if further agreements between the EU and U.S. are not reached.
For detailed discussion on the impact of Schrems II, see our previous blog post here.
Despite the limited information currently available about the substance of the Framework, it is clear that the Framework is intended to address the deficiencies identified in Schrems II by both, (i) imposing binding safeguards to limit access to EU personal data by U.S. intelligence authorities to what is necessary and appropriate and, (ii) balancing U.S. national security needs with European data subjects’ ability to challenge unlawful surveillance. According to a White House Fact Sheet published on March 25, 2022, the Framework will specifically ensure that:
- the collection of signals intelligence will only be undertaken when necessary to advance legitimate national security objectives and not result in a disproportionate impact on individual privacy rights and civil liberties;
- EU individuals will be able to seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as needed; and
- U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
As stated above, it is important to note that Schrems II did not invalidate the Privacy Shield itself (rather, the CJEU invalidated the prior European Commission adequacy decision in relation to the Privacy Shield), and thus the new Framework will continue to require businesses and organisations to comply with the Privacy Shield principles, including the requirement of self-certification through, and oversight by, the U.S. Department of Commerce.
What are the potential challenges with the new Framework?
The Framework marks a positive step towards alignment of the EU and U.S. privacy systems. However, without having a legal text to analyse at this stage, it is uncertain how much scrutiny the Framework will face from commentators. Max Schrems, the main litigant in Schrems II, has already indicated his scepticism towards the Framework and its ability to pass the “essentially equivalent protections” test articulated by the CJEU in Schrems II, stating his intention to challenge the new deal if its final details do not align with EU law.
An area of potential scrutiny could be the lack of information surrounding U.S. government surveillance, and how this will change from prior practice. It appears the U.S. government has not promised to refrain from the use of signals intelligence, but instead has limited this activity to “legitimate national security interests.” Only time will tell whether the language of the Framework will result in a lawful mechanism to facilitate cross-border transfer of personal data from the EU to the U.S., or if we are looking at a potential Schrems III scenario.
Further, it is unclear how the Framework will address the Supreme Court’s recent decision in FBI v. Fazaga, upholding the “state secrets” privilege, ultimately making challenging government surveillance programs in federal courts increasingly difficult. The Fazaga decision also amplified the current inadequacy of U.S. privacy safeguards.
What happens next and how should businesses prepare?
The U.S. government and the European Commission intend to continue their cooperation, with a view to translating this Framework into legal documents that will need to be adopted in both territories. In the U.S., this will require an Executive Order from President Joe Biden that will in turn form the basis of the European Commission’s assessment in its future adequacy decision. In summary, this process will likely take several months – providing further opportunity for scrutiny and debate.
For EU companies, the legal position currently remains the same in that the Privacy Shield can no longer be used for transferring personal data to the U.S., and any transfers made under the SCCs (or other appropriate safeguards) must be accompanied by an “assessment” of the extent to which the laws of the importing third country provide an adequate level of protection.
For UK companies and businesses with main operations in the UK, it is essential to note that the UK GDPR is a separate body of law and grants the UK government an independent authority to issue its own adequacy decisions. At present, there is no commentary to suggest the UK’s view on this new Framework but we do know that the U.S. is on the UK’s priority list for future UK data partnerships and so cooperation with the U.S. is envisaged.
We will continue to monitor developments and provide further updates as the situation unfolds and the final text is released. Once officially adopted, this Framework should not necessarily require modifications to the policies and procedures that businesses and organisations have implemented to comply with existing data protection laws as outlined above but may indicate the availability of alternative means in the future to ease the burden associated with compliant cross-border transfers of personal data out of the EU.