On 25 March 2022, President Biden and the President of the European Commission (“EC”) von der Leyen announced that the U.S. and EU reached an agreement in principle on a new Trans-Atlantic Data Privacy framework for transatlantic data flows (the New Framework). The parties now need to translate the consensus into legal documents, which will be submitted for approval over the next months. When effective, the New Framework will allow participating companies to legally transfer data from the EU to the U.S. Until then, such transfers remain in flux, with standard contractual clauses (“SCCs”) accompanied by transfer impact assessments (“TIAs”) remaining as the only viable option for many.
In July 2020, the European Court of Justice (ECJ) — in Data Protection Commissioner v Facebook Ireland and M. Schrems (“Schrems II”) — invalidated the Privacy Shield, and in doing so, removed a vital safeguard for EU-U.S. transfers and left more than 5,000 companies searching for an alternative data export mechanism. Moreover, the decision cast doubt over the sufficiency of protections for personal data transferred under other mechanisms, including SCCs, since those mechanisms too did not restrict government access. Read our blog posts on the Schrems II decision and its far reaching consequences here, here, here and here.
Following the Schrems II decision, the U.S. Department of Commerce and the European Commission began negotiations for a replacement framework. Because the Schrems II decision took specific aim at U.S. legal protections against government surveillance, any replacement framework would need to impose new limits on U.S. government access to transferred data and address the rights of individuals in the EU to obtain redress for unlawful access.
What do we know so far?
The breakthrough, announced on 25 March 2022, is only an agreement in principle at the political level. The parties did not yet publish any legal documents alongside the announcement. Now, the negotiators on the ground will translate the high level agreement into legal text, whilst ensuring that the New Framework meets EU requirements and U.S. proposals. While the parties will need to hammer out the details of any future agreement over the next several months, the joint statement and fact sheets each party released on Friday outline the key elements of the agreement at a high level.
First, the New Framework will continue to rely on the Privacy Shield Principles. These principles, which included familiar EU concepts such as transparency, purpose limitation, individual rights, and accountability, among others, formed the core of participating companies’ obligations under the Privacy Shield Framework. The press release confirmed that the New Framework will continue to operate based on companies’ voluntary self-certification to such principles. A benefit of this approach is that companies that opted to maintain their Privacy Shield certification in force even after Schrems II may not need to take additional steps in order to re-enroll in the New Framework.
Second, and critically, the New Framework will include new protections against U.S. government access to transferred data designed to address the ECJ’s concerns in the Schrems II decision. Specifically, the New Framework will:
1. Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence (SIGINT) activities. These safeguards are intended to address the “necessity” and “proportionality” requirements under EU law, which obligate the government to show that any access to EU data is limited to what is necessary to achieve the government’s objectives.
2. Establish a new redress mechanism with independent and binding authority. The fact sheets indicate that the New Framework will allow EU individuals to seek redress from a two-tier mechanism that includes an independent Data Protection Review Court. Such a court would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as needed. This new mechanism appears to address a key weakness the ECJ identified in the Privacy Shield framework. The previous Privacy Shield framework created an independent “ombudsperson” within the U.S. Department of State to hear complaints from individuals in the EU alleging improper U.S. government access to their data. The ECJ, however, found that the ombudsperson role was not sufficiently independent, or empowered with appropriate remedial authorities, to satisfy EU requirements. Nor could U.S. courts provide sufficient redress because of the difficulties plaintiffs faced in proving “standing” in surveillance cases, where they cannot prove ahead of time that they have been surveilled. The New Framework appears to address these concerns by empowering an extra-governmental court to review alleged violations, though the details of this mechanism and its sufficiency for addressing EU requirements remain uncertain.
3. Enhance existing oversight mechanisms for signals intelligence activities in the U.S. U.S. law already provides for multiple layers of oversight for signals intelligence, including procedures for prior review by the Foreign Intelligence Surveillance Court and external auditing and oversight by the Privacy and Civil Liberties Oversight Board (PCLOB). The agreement suggests the U.S. will implement additional privacy and civil liberties functions to address EU requirements.
It remains to be seen whether the New Framework will withstand judicial scrutiny. Mr. Schrems has already highlighted that the agreement in principle does not appear to contemplate legislative changes to U.S. surveillance laws. It is likely that his organization, noyb, and potentially others, will challenge any new agreement in court.
How long until companies can rely on any New Framework?
Once the parties have negotiated and agreed on the details of the New Framework, the U.S. will need to implement its commitments through an executive order. On the EU side, the EC will draft a ‘proposal’ agreement to implement the agreed framework. The EC must then submit the proposal to the European Data Protection Board (“EDPB”) for its expert opinion on the sufficiency of the protections afforded thereunder. Although the EDPB’s findings are not binding, the EDPB opinion could trigger additional negotiations between the EC and the U.S. Department of Commerce to ensure that the framework provides “essentially equivalent” protection for transferred data. Ultimately, the EC must put the proposal before an EU committee composed of representatives from each EU Member State, who will vote on whether to approve the proposal. Only after all these steps are taken can the EC adopt a final decision that implements the New Framework.
Although the agreement in principle is a welcome first step for many companies, it will likely take several months or longer before companies can rely on the New Framework for their transfers.
What companies should do next
Until the EC officially adopts the New Framework, companies cannot rely on it as a means to export personal data from the EU to the U.S. This means that SCCs accompanied by TIAs remain the only viable option for many EU-U.S. transfers. Companies should closely monitor developments in the space and continue to ensure they have compliant data export mechanisms in place.
Given the continued uncertainty over the precise shape the New Framework will take, companies should hold off on commencing the certification process until the New Framework enters into force and there is more clarity about the exact scope of the requirements.
Several developments may undercut the value of participation in the New Framework for some companies. First, like the Privacy Shield, the New Framework’s protections against government access are likely to apply to transfers to the U.S. based on other mechanisms, such as SCCs. As a result, companies that transfer personal data based on these other mechanisms may benefit from the added legal certainty of an “adequate” framework (and a reprieve from conducting time consuming TIAs) without needing to self-certify to the New Framework. Second, because the EDPB concluded that a company’s direct collection of personal data from a data subject is not a “transfer,” U.S. companies that previously relied on Privacy Shield to address these “direct collections” from EU data subjects (because SCCs could not address circumstances where there was no EU counterparty) may find that participation in the New Framework offers fewer benefits.
That said, companies that continue to participate in the Privacy Shield Framework should watch the developments closely. Even though the ECJ invalidated the old Privacy Shield framework in July 2020, the FTC advised companies at the time to continue their certification stating that “continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.” An additional benefit for companies that maintained their Privacy Shield certification is that they possibly may not need to take further steps to comply once the New Framework comes into force. Companies should also remember that the New Framework, when finalized, will only offer an effective solution for EU-U.S. transfers. Where companies rely on SCCs or Binding Corporate Rules for transfers to other countries, the New Framework will not offer a reprieve from the requirement to carry out TIAs analyzing the scope of protections under those countries’ laws.