After almost two years of uncertainty surrounding transfers of personal data from Europe to the United States (‘US'), a political agreement for a new data transfer framework between the two key trade partners (‘Framework') has made headlines. Nevertheless, in light of the serious issues with the two previous data transfer mechanisms, it will be interesting to follow the development and practical effectiveness of this new Framework.
In July 2020, the Privacy Shield framework regulating data transfers from the European Union (‘EU') to the US (succeeding the previous 'Safe Harbour' mechanism) was declared invalid by the Court of Justice of the European Union ('CJEU') Schrems II ruling (CJEU-C-311/18). This was essentially due to concerns around US surveillance laws, which allow US intelligence agencies unfettered access to EU data subjects' personal data. Consequently, a high degree of legal uncertainty was created around the flow of data to the US.
Following this ruling, the Standard Contractual Clauses (‘SCCs') issued by the European Commission were widely relied upon for such data transfers. However, the workability of the SCCs has also been put into question by subsequent decisions issued by national data protection supervisory authorities. In fact, decisions issued by the DSB and the CNIL respectively have determined that European website operators relying on the SCCs for the transfer of data to US based Google Analytics are in breach of the GDPR. Similarly to the Schrems II ruling, the authorities concluded that the SCCs do not sufficiently prevent US intelligence authorities from gaining access to such data.
Notwithstanding all these challenges, the increasing reliance on digital trade between the EU and the US, together with public threats made by tech giants such as Meta to cease their European operations have prompted Washington and Brussels to finally see eye to eye on a new Framework.
The new Trans-Atlantic Data Privacy Framework
Although at this stage the new Framework is merely a high-level political agreement, the European Commission and US government have published a joint statement on 25 March 2022, highlighting the below key principles which emanate from this agreement.
Much like its predecessor, the primary aim of the new Framework is to ensure the free and secure flow of data between the EU and the US in terms of the requirements of the GDPR.
In response to the critique relating to the unfettered access to data enjoyed by US intelligence agencies, a new set of binding safeguards shall be introduced in order to limit such access to what is necessary and proportionate to protect national security, along with procedures to ensure oversight of privacy standards. Furthermore, a new two-tier redress system shall be introduced for the investigation of complaints submitted by EU citizens regarding access to data by US intelligence agencies, allowing EU citizens' claims to be heard before a newly established Data Protection Review Court.
While the requirement for US companies to self-certify their adherence to the new Framework through the U.S. Department of Commerce shall remain in place, new monitoring and review mechanisms shall also be established.
A deal on shaky ground
As expected, the agreement has been met with scepticism by various privacy advocates. Notably, Maximilian Schrems has declared that it is merely ‘lipstick on a pig', referring to the introduction of solely superficial changes to the invalidated Privacy Shield, without actual amendments and solutions to the persistent problem of US surveillance on EU personal data. Schrems and other high profile privacy experts already foresee that the new Framework will follow the unfortunate fate of its predecessors and end up invalidated by the CJEU, causing further legal uncertainty in the years to come.
Notwithstanding the criticism, the European Commission seems positive that the new Framework will foster EU-US data flows and will cater for the concerns raised by CJEU and by data protection authorities with respect to the unhampered access to data by US surveillance authorities.
This pact to develop a new Framework is definitely a step in the right direction, demonstrating that there is the necessary political will to address the existing uncertainty surrounding this subject. Furthermore, the key Framework principles which were published in the above-mentioned joint statement seem to be geared towards resolving the main issues which led to the invalidation of its predecessors.
Nevertheless, it is yet premature to predict the practical effectiveness of the new Framework. The devil is in the detail and a proper analysis of the implications of this new Framework may only be carried out following the publication of the Framework itself. Until then, the much-desired legal certainty for both European as well as US businesses engaging in data transfers cannot be truly achieved. It should be noted that for the time being, there is no announced timeframe for this agreement to be developed into official legal text.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.