On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice (ECJ), striking down the EU adequacy decision underpinning Privacy Shield. While the announcement has been widely welcomed, it remains an “agreement in principle”, with details and timing yet to be confirmed. Along with expressions of welcome and relief, initial reactions also included a strong indication that the new arrangements are likely to be challenged by privacy campaigners including Max Schrems and NOYB, describing “Privacy Shield 2.0” as “lipstick on a pig”.
What is likely to change in the new agreement?
The success or failure of the new agreement will depend on the extent to which it overcomes the flaws identified by the ECJ in Schrems II. The ECJ ruled against the EU Commission’s adequacy decision in favour of Privacy Shield, finding that data subjects were inadequately protected against electronic surveillance or “signals intelligence” activities carried out under US Federal authority, and that data subjects impacted by such activities had no viable route to redress.
A White House briefing room fact sheet issued on 25 March set out the headline terms of the agreement, including key measures designed to “ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities”. Specifically:
-
Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
-
EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
-
S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
Privacy Shield 2.0?
It is important to remember that Schrems II did not strike down Privacy Shield, which has continued to operate since July 2020. Rather, the European Court of Justice ruling struck down the EU Commission’s adequacy decision in favour of Privacy Shield. Consequently, a key objective of the new Trans-Atlantic Data Privacy Framework is not to replace Privacy Shield, but to revive and enhance it with new mechanisms to address the flaws identified in Schrems II.
Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.
The language of the White House fact sheet suggests some areas likely to attract close scrutiny once the full details are available:
-
What degree of impact on individual data subjects will be considered acceptable, and in what circumstances? The US government is not promising to refrain from the use of signals intelligence and electronic surveillance. It is promising only that intelligence activity will be limited to “legitimate national security interests” and that the impact on individuals will not be “disproportionate”.
-
How far the composition of the proposed Data Protection Review Court will ensure that it is truly independent of the Federal government?
What happens next?
It is unlikely that the US administration or the EU Commission would have used a high profile event such as the President’s visit to Poland as the occasion to announce “agreement in principle” unless they shared a high degree of confidence that the new Framework will come into force. From the US side the new Framework requires an Executive Order, and is therefore within the authority of the President. From the EU side, the Commission must follow the procedures and consultation requirements under GDPR Article 45. That process requires:
-
A proposal from the European Commission
-
An opinion of the European Data Protection Board
-
An approval from representatives of EU member states
-
Adoption of the decision by the European Commission.
Inevitably, that process takes several months, and provides ample opportunity for challenge and debate. In the meantime, transfers of EU personal data to the US require specific transfer risk assessment, and consideration of a full set of safeguards to include legal measures (e.g., use of Standard Contract Clauses), technical measures (e.g., encryption before transfer) and organisational measures (e.g., employee policies).
The UK position
It is also essential to bear in mind that EU GDPR and UK GDPR are now separate bodies of law. While it is likely that the UK would recognise and adopt the new Framework, Brexit created the possibility of divergence should the UK government decide to adopt different or more relaxed rules or criteria from those applicable in the EU. Consequently, as well as monitoring the EU adequacy decision process, it will also be necessary to keep an eye on UK government responses.