News
Schrems II resolved? Unpacking the EU-US Trans-Atlantic Data Privacy Framework
The United States and the European Commission have agreed in principle to a new Trans-Atlantic Data Privacy Framework (the ‘Framework’) to foster EU-US data flows and address the concerns raised by the Court of Justice of the European Union (‘CJEU’) in the now infamous Schrems II decision. This is highly welcomed by businesses on both sides of the Atlantic, with continued data flows between the two regions underpinning €900 billion in cross-border commerce each year.
Invalidation of the Privacy Shield
In July 2020, the CJEU invalidated the EU-US Privacy Shield framework in a preliminary hearing for the Schrems II case, where privacy activist Maximillian Schrems was pursuing Facebook in Ireland over their personal data transfers to the US.
The Privacy Shield was the safeguard mechanism for personal data transfers from the EEA to the US, whereby a US company certified under the framework was allowed to receive EEA personal data without having to rely on another mechanism under Chapter 5 of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), such as entering into the Standard Contractual Clauses.
Eventually, after having only been in existence for four years, the regime was invalidated due to the wide data capture powers allowed under US national security legislation, namely Section 702 of the Foreign Intelligence Surveillance Act (known as FISA) and Executive Order 12333, contradicting Europe’s notion of fundamental rights under the EU Charter of Fundamental Rights (‘EU Charter’), and as a result, the GDPR.
It was also held that framework did not provide for sufficient mechanisms to reconcile this conflict between US surveillance laws and EU privacy laws. Importantly, the Ombudsman mechanism in place in the US was deemed to not be of “essential equivalence” with the mechanisms afforded under the GDPR and the EU Charter.
The New Trans-Atlantic Data Privacy Framework
Now, after a year of detailed negotiations between the US and the European Commission, led by the Commissioner for Justice Didier Reynders and the US Secretary of Commerce Gina Raimondo, the two sides have come to an agreement in principle on the Framework.
Necessary and proportionate signals intelligence collection:
Under the Framework, the US will put in place new safeguards to ensure that signals surveillance activities will meet the requirements of being necessary and proportionate in the pursuit of defined national security objectives. Such processing of EEA personal data must not disproportionately impact the protection of individual privacy and civil liberties, bringing the US regime more in line with that of the EU.
Two-tier redress mechanism:
The US will also establish a two-tier independent redress mechanism with binding authority to direct remedial measures. This is in direct response to the concerns of the CJEU over the Ombudsman mechanism and its lack of equivalence to the right of effective remedy before a tribunal provided by Article 47 of the EU Charter.
This two-tier redress system will include the creation of an independent Data Protection Review Court (the ‘Court’), with the aim of investigating and resolving complaints by EU residents of access of their personal data by US intelligence authorities. This Court will consist of individuals chosen from outside of the US Government who will have full authority to adjudicate claims and direct remedial measures as required.
Intelligence agencies to adopt new procedures
Finally, the US will also commit to enhancing rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.
However, the requirement for companies to self-certify their adherence to principles through the US Department of Commerce, as per the previous Privacy Shield regime, will continue.
Will this be adequate in light of the Schrems II decision?
In its fact sheet announcing the agreement in principle, the Biden administration stated that there are more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion US-EU economic relationship. The disruption caused by the Schrems II outcome has indeed taken a toll on this relationship in terms of personal data transfers.
Companies in both the US and the EU know this all too well, having spent nearly two years relying on alternative transfer mechanisms, such as the Standard Contractual Clauses, which has more recently included the requirement of conducting transfer impact assessments.
Therefore, the announcement of this agreement in principle is very much welcomed by such companies. However, it has also been met with scepticism by some members of the privacy community.
Critics argue that the chink in the armour of the new Framework will be the fact that the new measures shall be implemented by way of an Executive Order (which are directives from the President of the US) as opposed to through the passing of primary legislation by the US Congress.
This could pose an issue in particular for the operation of the new redress mechanism (namely, the Court), its independence from the US Executive and the enforceability of its remedies against US intelligence authorities, who have their surveillance rights embedded in federal primary law.
However, time will tell if this new Framework meets the standards required under the GDPR, if (or when) the new regime is put in front of the CJEU.
For the time being, this agreement in principle still needs to be translated into legal documentation, which includes the drafting of an Executive Order on the US side that will form the basis of the draft adequacy decision by the European Commission.
Sources: FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework
European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework
Article provided by INPLP members: Anthi Pesmazoglou and Komal Shemar (Gerrish Legal SARL, France)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010