On Friday, March 25, 2022, US President Joe Biden and European Commission President Ursula von der Leyen jointly announced that a deal has been reached to replace the former Privacy Shield framework governing data transfers from the European Economic Area (“EEA”) to the US. As they say, the devil is in the details, and to date, there is no actual text of the accord available to provide specifics about the new framework. However, according to a Joint Statement, the US has agreed to implement the following measures:
-
put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives;
-
establish a two-level independent redress mechanism with binding authority to direct remedial measures; and
-
enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance.[1]
These new concessions by the US are intended to address concerns regarding the potential risk that personal information transferred to the US could be subject to production to the US government under the Foreign Intelligence Surveillance Act of 1978 (“FISA”). Such concerns have been at the forefront of EU privacy law for some time and have been the focus of recent decisions from the Court of Justice of the European Union, most notably when the so-called “Schrems II”[2] decision struck down the former Privacy Shield data transfer framework between the US and EU in 2020 because of the potential risk of production of data under FISA. The test will be whether the new safeguards proposed by the US are deemed sufficient to mitigate the risk of production and alleviate concerns in the EU.
Certainly, news of this agreement will be very much welcomed by many given the uncertainty previously created by Schrems II and its progeny. After the court struck down the former Privacy Shield framework, organizations were left to determine for themselves other purportedly lawful means for transatlantic data transfers, such as agreeing to standard contractual clauses (“SCC”) to safeguard data. However, even the use of an SCC has recently been called into question. In the last three months, data protection authorities in both Austria and France invalidated the use of Google Analytics[3] after concluding that data collected by the Google software could be subject to production under FISA. Taken together, these decisions from EEA authorities have had many wondering if there is any lawful means of transferring personal information to the US.
Despite this new agreement, it remains uncertain whether the US and EU can settle their differences to create an enforceable regulatory regime. The perspective with which EEA authorities view risk starkly contrasts with the predominant viewpoint in the US. For example, in order to have standing to sue in the US, there must be proof of a concrete risk of harm rather than merely an abstract or hypothetical risk. In contrast, EEA authorities have consistently upheld restrictions based on the type of hypothetical risk of production underpinning Schrems II. With such contrasting viewpoints on measuring actionable risk, it should be fascinating to watch the two sides try to reach a satisfactory compromise.
Meanwhile, privacy advocate Max Schrems, whose lawsuit successfully challenged Privacy Shield, has left no doubt that he intends to pursue a Schrems III as he has stated “[i]n the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”[4]
ENDNOTES
[1] Joint Statement on Trans-Atlantic Data Privacy Framework (europa.eu)
[2] CURIA - Documents (europa.eu)
[3] To access the opinion from the Austrian Data Protection Authority (DPA), please click here: Standarderledigung Bescheid (noyb.eu). The French authority’s opinion can be reviewed here: Decision ordering X to comply (cnil.fr)
[4] "Privacy Shield 2.0"? - First Reaction by Max Schrems (noyb.eu)