What happened previously?
On 16 July 2020, in its judgment on the Schrems II case, the Court of Justice of the European Union (‘CJEU’) declared the EU-US Privacy Shield Agreement invalid as it did not provide the adequate protection required under the General Data Protection Regulation (‘GDPR’) when transferring personal data from the EU to the US. This decision was reported in our last update and had major implications for the way large US tech companies collect data from EU citizens, and for European businesses seeking to transfer data to the US.
Nearly two years later, on 25 March 2022, the EU and US announced that they had reached an ‘agreement in principle’ on a Privacy Shield replacement. The White House and the European Commission each issued fact sheets of the trans-Atlantic Data Privacy Framework (‘TADPF’), providing detail on the intent of the agreement but the legal specifics are not clear. It remains to be seen if the TADPF will face a similar legal challenge to Privacy Shield and Safe Harbour before that.
This is undoubtedly welcome news, especially for large US-based technology companies and other organisations that have been dealing with the legal uncertainty of trans-Atlantic data flows following the Schrems II decision and had been forced to fall back on the standard contractual clauses (‘SCC’). The original Privacy Shield was the replacement for Safe Harbour, an earlier EU-US data pact that was invalidated by the CJEU in 2015 due to similar clashes between EU privacy rights and US surveillance laws. It will be interesting to see whether the TADPF can withstand the scrutiny of the courts, as well as privacy campaigners that triggered the downfall of the previous two regimes.
What does the TADPF provide?
Under the proposed TADPF, the US has made commitments to:
1.Strengthen the safeguards governing US signals intelligence activities;
2.Establish a two-tier redress system that includes an independent Data Protection Review Court composed of individuals from outside the US Government to investigate and resolve complaints; and
3.Enhance existing rigorous and layered oversight with US intelligence agencies adopting procedures to ensure effective oversight of new privacy and civil liberties standards.
What are the chances this framework will succeed?
Organisations that rely on trans-Atlantic data flows hope this will be third time lucky, and that the TADPF will allow for seamless transfers of personal data from the EU to the US without any amendments to US surveillance laws.
Max Schrems, a well-known privacy activist who initiated the legal cases that resulted in both the Schrems I and Schrems II decisions has issued a statement in response to the news of the agreement, indicating that he saw this as another iteration of Privacy Shield and a ‘patchwork’ approach that will not hold up, but also that he would ‘wait and see’ what the details of the agreement are. A statement issued through his privacy group, Noyb, stressed that he would challenge the TADPF if it is not in line with EU law.
It is difficult to evaluate the TADPF’s chances of survival given the track record and the lack of information provided at present. It appears that the agreement in principle is going full speed ahead, however the new deal will ultimately be scrutinised by the CJEU again.
What happens next?
The agreement in principle will now be translated into legal documents. The US commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put in place the new TADPF. Once the TADPF becomes effective, it will only apply to data transfers from EU/EEA countries to the US. Data transfers from the UK and Switzerland will need to comply with the UK International Data Transfer Agreement (‘IDTA’), its version of the Transfer Impact Assessment (‘TIA’) and Transfer Risk Assessment (‘TRA’), or the UK addendum to the SCCs. It is currently unclear whether the UK or Switzerland will adopt the TADPF to permit data transfers to the US from their respective countries. As data flows become increasingly important to international trade, strengthening privacy and security safeguards in the public and private sectors are an economic and geopolitical imperative for both sides of the Atlantic.
We will provide further updates on the TADPF as details become available.
How can Burges Salmon help?
If you would like any further information, please contact David Varney or another member of our Data Protection team.