The Trans-Atlantic Data Privacy Framework – the answer to Schrems II?
Almost two years ago, the Schrems II decision from the Court of Justice of the European Union (‘CJEU’) overturned the manner in which EU (and UK) personal data was transferred to the US.
Now, the United States and the European Commission have agreed in principle to a new Trans-Atlantic Data Privacy Framework (the ‘Framework’) to foster EU-US data flows and address the concerns raised by the CJEU in the now infamous Schrems II decision.
With data flows between the two regions underpinning €900 billion in cross-border commerce each year, this is a highly welcomed news by businesses on both sides of the Atlantic.
What happened in Schrems II?
In July 2020, the CJEU invalidated the EU-US Privacy Shield framework in a preliminary hearing for the Schrems II case, where privacy activist Maximillian Schrems was pursuing Facebook in Ireland over Facebook’s personal data transfers to the US.
Facebook, along with thousands of other businesses, used to carry out such transfers of personal data either through the Privacy Shield mechanism or the old EU Standard Contractual Clauses. The Privacy Shield was the safeguard mechanism for personal data transfers from the EEA to the US, whereby a US company certified under the framework was allowed to receive EEA personal data without having to rely on another mechanism under Chapter 5 of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), such as entering into the Standard Contractual Clauses mentioned before.
However, the regime had its faults and after having only been in existence for four years, the regime was invalidated. This was namely due to the wide data capture powers allowed under US national security legislation, namely Section 702 of the Foreign Intelligence Surveillance Act (known as FISA) and Executive Order 12333, contradicting Europe’s notion of fundamental rights under the EU Charter of Fundamental Rights (‘EU Charter’), and as a result, the GDPR.
It was also held that framework did not provide for sufficient mechanisms to reconcile this conflict between US surveillance laws and EU privacy laws. Importantly, the Ombudsman mechanism in place in the US was deemed to not be of “essential equivalence” with the mechanisms afforded under the GDPR and the EU Charter.
The old Standard Contractual Clauses were also the subject of this decision, with the CJEU pointing out the updates required to ensure that these were not just a piece of paper that is signed and thrown into a drawer. The new EU Standard Contractual Clauses released on 4 June 2021 addressed this, however, a Privacy Shield-shaped hole has remained an issue for several businesses over the last 2 years.
The New Trans-Atlantic Data Privacy Framework
Now, after a year of detailed negotiations between the US and the European Commission, led by the EU Commissioner for Justice, Didier Reynders, and the US Secretary of Commerce, Gina Raimondo, the two sides have come to an agreement in principle on the Framework. Whilst the text of the Framework has not yet been released, the following elements have been highlighted by these two administrations as being the driving force:
Necessary and proportionate signals intelligence collection:
Under the Framework, the US will put in place new safeguards to ensure that signals surveillance activities will meet the requirements of being necessary and proportionate in the pursuit of defined national security objectives. This is language taken from the GDPR and therefore, is an attempt to bring the US regime closer to the gold standard offered in the EU and the UK.
Such processing of EEA personal data must not disproportionately impact the protection of individual privacy and civil liberties. However, the way that this plays out in reality will remain to be seen.
Two-tier redress mechanism:
The US will also establish a two-tier independent redress mechanism with binding authority to direct remedial measures.
This is in direct response to the concerns of the CJEU over the old US Ombudsman mechanism and its lack of equivalence to the right of effective remedy before a tribunal provided by Article 47 of the EU Charter.
This two-tier redress system will include the creation of an independent Data Protection Review Court (the ‘Court’), with the aim of investigating and resolving complaints by EU residents of access of their personal data by US intelligence authorities. This Court will consist of individuals chosen from outside of the US Government who will have full authority to adjudicate claims and direct remedial measures as required.
Intelligence agencies to adopt new procedures:
Finally, the US will also commit to enhancing rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.
Procedural changes:
Under the old Privacy Shield regime (which still exists in the US, but cannot be used as a mechanism under the GDPR), companies self-certify to the US Department of Commerce, who validate such self-declarations in order to provide certification. This certification regime still exists and several companies continue to self-certify as the certification itself can be seen as a badge of quality as to a company’s data protection measures in the US (particularly for international companies).
Under the new Framework, the requirement for companies to self-certify their adherence to principles through the US Department of Commerce, as per the previous Privacy Shield regime, will continue. Therefore, those companies who have maintained their certifications despite the invalidation of the Shield should be in a good position to be certified under the new regime, depending on the details to be released.
Will this be adequate in light of the Schrems II decision?
In its fact sheet announcing the agreement in principle, the Biden administration stated that there are more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion US-EU economic relationship. Therefore, the disruption that has been caused by the Schrems II outcome has indeed taken a toll on this relationship in terms of personal data transfers. Several businesses have seen negotiations on “international transfer” clauses take up more and more time, and in some cases, have become a sticking point or even a dealbreaker.
Companies in both the US and the EU know this all too well, having spent nearly two years relying on alternative transfer mechanisms, such as the Standard Contractual Clauses, which has more recently included the requirement of conducting transfer impact assessments.
Therefore, the announcement of this agreement in principle is very much welcomed by such companies.
However, it has also been met with scepticism by some members of the privacy community.
Critics, such as Schrems and noyb argue that the chink in the armour of the new Framework will be the fact that the new measures shall be implemented by way of an Executive Order (which are directives from the President of the US) as opposed to through the passing of primary legislation by the US Congress.
This could pose an issue particularly for the operation of the new redress mechanism (namely, the Court) and its independence from the US Executive which could affect the enforceability of its remedies against US intelligence authorities, who have their surveillance rights embedded in federal primary law.
However, time will tell if this new Framework meets the standards required under the GDPR, if (or when) the new regime is put in front of the CJEU - privacy campaigners are indicating that this will be a certainty for them.
For the time being, this agreement in principle still needs to be translated into legal documentation, which includes the drafting of an Executive Order on the US side that will form the basis of the draft adequacy decision by the European Commission.
All companies transferring personal data to the US, which includes a large majority, considering the quasi-monopoly of some BigTech players such as Amazon Web Services or Microsoft, should keep an eye on the progression of the new Framework.
In the meantime, if you have any privacy questions, please do not hesitate to contact us!
Article by Komal Shemar, Legal Counsel at Gerrish Legal.