After the EU-U.S. Privacy Shield was rendered invalid by the Court of Justice of the European Union (CJEU) in July 2020, and following a prior challenge to the U.S.-EU Safe Harbor, many businesses operating on both sides of the pond scrambled to find other ways to protect data flows between the EU and U.S. that meet the EU General Data Privacy Regulation (GDPR) adequacy standards. Now it appears that a replacement is finally on the horizon. On March 25, 2022, the White House announced that the U.S. and EU have committed to a new Trans-Atlantic Data Privacy Framework (Framework) to facilitate data flows from the EU to the United States and address concerns raised by the CJEU when it struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield Framework in 2020.
Having worked through two prior frameworks that both governments previously supported, businesses are asking if the new Framework can solve the difficulties that undermined its predecessors. According to the White House press release, the Framework will address the CJEU’s concern in Schrems II, in which the court held that U.S. surveillance activities left EU citizens without a judicial remedy for potential privacy violations by the U.S. government. The new Framework pledges to “strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities; establish a new redress mechanism with independent and binding authority; and enhance its existing rigorous and layered oversight of signals intelligence activities.”
The White House gives several examples of how the Framework will address the CJEU’s focus on “surveillance” by the U.S. government, namely:
-
Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties;
-
EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
-
U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
The Framework’s commitments appear to be a step towards addressing issues raised in the Schrems II decision, and the additional redress mechanisms outlined by the White House provide an independent means for EU residents to raise privacy concerns. However, because details are not yet available, businesses face uncertainty as to whether there will be challenges to the new Framework. To complicate matters, the recent Supreme Court case FBI v. Fazaga granted the U.S. government greater leeway in invoking the state secrets privilege, making it more difficult for both U.S. and EU citizens to challenge surveillance intrusions by the U.S. government in American courts. The interplay between the rights described in the White House press release about the new Framework and U.S. legal precedent requires further analysis.
For the time being, businesses that transfer data between the EU and U.S. can continue using the “adequacy” method they currently employ, provided they take into account the Schrems II judgment and the European Data Protection Board’s recommendations on supplementary measures. The Danish Data Protection Agency has already stressed that the new Framework is still just an agreement in principle and current transfer justification requirements still apply.