On 25 March 2022, the European Commission and the United States Government announced an "agreement in principle" on a new EU-US Trans-Atlantic Data Privacy Framework (the Framework). The purpose of this is to address the concerns that the Court of Justice of the European Union (CJEU) raised in the Schrems II decision, and thus allow the flow of personal data from the EU to the US in a manner that is compliant with the requirements of the GDPR.
Transatlantic data transfers had been permitted under the Privacy Shield following an adequacy decision by the EU Commission. On 16 July 2020, the CJEU struck down this adequacy decision, meaning that transatlantic data transfers made under the Privacy Shield would no longer be GDPR-compliant. The two key reasons for the CJEU's decision were:
- The US legal system did not provide adequate protection to data subjects against electronic surveillance or signals intelligence activities carried out by the US Federal Authorities.
- The data subjects affected by these activities did not have a right of redress which was "essentially equivalent" to the right to an effective remedy before an independent and impartial tribunal, as is guaranteed under the GDPR.
This decision led to legal uncertainty around the correct processes to follow when transferring data from the EU to the US. The new Framework will, in theory, address these concerns and include key measures to "ensure the privacy of EU personal data and create a new mechanism for EU individuals to seek redress if they are unlawfully targeted by signals intelligence activities".
Will the Framework stand up to scrutiny?
It is likely that key aspects of this Framework will certainly be subject to significant scrutiny. Of particular concern will be that the US government is not promising to stop the use of signals intelligence and electronic surveillance, rather stating that this will be limited to "legitimate national security interests" and that the impact on individuals will not be "disproportionate". US surveillance was already held not to be proportionate by the CJEU, and previous agreements have fallen twice at this hurdle. Another issue is the formation of the Data Protection Review Court, which will be formed under an executive order by the US Government and may lack the legitimacy required by the Schrems II judgment.
Further, while the EU and US have agreed certain key principles, they have yet to draft the relevant legal documents to give effect to these. This means that any actual "adequacy decision" in respect of the Framework will not be forthcoming in the near future, creating uncertainty for businesses as to when (or if) this Framework can ever be relied upon for transatlantic data transfers.
Privacy campaigners, including NOYB led by Max Schrems, have indicated that they will challenge this Framework, with Schrems describing it as "lipstick on a pig". Schrems has predicted that this will fail, stating that it is merely a political announcement which will not ensure compliance with the law and fundamental rights. Schrems stated that if, following a review of the full legal text, the Framework is not in line with EU law then NOYB or another group "will likely challenge it".
What should organisations do?
For now, the safest bet for businesses in the UK and EU will be to rely on suitable transfer mechanisms that have already been approved, such as the use of standard contractual clauses accompanied by transfer impact assessments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.