Track services

The European Commission will accelerate the replacement of the EU-US Privacy Shield

The EU and US announced the Trans-Atlantic Data Privacy Framework as a new edition of the Privacy Shield Framework which was repealed by Schrems II.

After a long period of drought due to the Schrems II judgment of the Court of Justice of the European Communities (ECJ) of July 16, 2020 (C-311/18), a new adequacy decision for data transfers to Member States Now looms on the horizon, which will once again allow controllers to transfer personal data to US-based companies in a GDPR-proof manner. US President Biden and European Commission President von der Leyen announced an agreement on a “transatlantic data privacy framework” on Friday, March 25, 2022. And, on April 21, EU Justice Commissioner Didier Reynders, said he hoped the process of EU adoption of the new framework can begin before the summer.

Background: the protection against US intelligence services provided under the Privacy Shield was insufficient

The Privacy Shield framework allowed European companies to transfer personal data to the United States without entering into standard contractual clauses if the relevant US company had certified under the Privacy Shield. This was in itself a reaction to the annulment of the previous “Safe Harbor Decision” in Schrems I (C-362/14).

In “Schrems II”, the ECJ also declared the Privacy Shield Framework invalid. Self-certification, by its very nature, would not prevent US intelligence agencies from misusing transferred personal data for mass surveillance purposes. This mass surveillance is a violation of the fundamental rights of the persons concerned and of the minimum guarantees of the rule of law.

The Privacy Shield provided for the establishment of an arbitrator to deal with complaints from EU data subjects against surveillance by US intelligence agencies as an added safeguard. However, this did not meet the requirements of the CJEU, which considers that a private right of action of persons under surveillance before independent courts is the minimum required by the rule of law. To see here for a more in-depth analysis of the ECJ’s Schrems II decision.

Content of the Trans-Atlantic Data Privacy Framework: independent complaints body for EU citizens and ongoing self-certification

The content of the Trans-Atlantic Data Privacy Framework has not yet been finalized. The European Commission and the US government are currently talking only of an “agreement in principle”. Most of the details known so far are contained in the US government press release:

  • Instead of the old privacy framework’s ombudsman, the transatlantic data privacy framework will create a two-tier quasi-judicial body to adjudicate complaints from EU data subjects. The panel will be empowered to fully investigate and order binding corrective action. Although not part of the judiciary, it should be as independent as possible. It will notably be composed of persons not belonging to the American government.
  • New measures must be established for US intelligence services to reduce surveillance to a proportionate level and uphold rule of law standards. The measures it will be remain open.
  • The United States will not implement these changes through legislation, only through a new Executive Order from the US President.
  • The transatlantic data privacy framework should build on the existing Privacy Shield. Requirements for US companies will likely remain the same and previous certifications will continue to apply. The US government had left the Privacy Shield certification unchanged even after the Schrems II ruling.

Final adequacy decision in six months at the earliest

First, over the next few months, the US and EU will finalize the text of the executive order and the adequacy decision. There are unlikely to be any major problems here, given the intense political pressure. At Politico’s AI and Technology Summit on April 21, EU Justice Commissioner Reynders said he hoped the EU adoption process would begin before the summer: “It depends on the texts we receive from the American side, but I hope that before the summer it will be possible to start our own ratification process. I hope we will receive the first legal texts from the United States very soon. The two parties will not enter into a state treaty but will informally agree on the contents of the executive decree and the adequacy decision.

The US government will then adopt the executive order and the European Commission will issue a draft adequacy decision. For the old Privacy Shield, this took place about a month after the announcement of an agreement in principle. Subsequently, the European Data Protection Board will issue an opinion on this adequacy decision. This opinion does not bind the European Commission. Even with an expected rejection by the European Data Protection Board, the European Commission is unlikely to be deterred from the transatlantic data privacy framework.

In addition, Member States can give their opinion under the “comitology procedure” (Art. 45 (3) GDPR). Theoretically, they could also issue a negative statement, but this is not planned.

Finally, the European Commission will publish the adequacy decision in the Official Journal of the EU.

Overall, the procedure for the previous Privacy Shield took about six months (agreement in principle on February 2, 2016; publication in the Official Journal on August 1, 2016). The process for the Transatlantic Data Privacy Framework is expected to take a little longer, as the details have not yet been agreed.

Opposition to the transatlantic data privacy framework is already strong; a Schrems III decision is on the horizon

It is doubtful that the transatlantic data privacy framework actually meets the requirements of the ECJ.

The establishment of an independent quasi-judicial body to examine complaints is indeed smart and could possibly meet the CJEU’s requirements for judicial review. But it remains to be seen whether the decree, which should be formulated in very general terms, will meet the European requirement for a clear and precise measure on its scope and application.

Moreover, it is not clear whether surveillance by US intelligence services will indeed be limited to what is “absolutely necessary”, which is another European requirement.

Therefore, the fate of the Trans-Atlantic Data Privacy Framework will again be decided by the ECJ. Civil rights organisations, such as noyb, the privacy organization run by Max Schrems, have previously criticized the transatlantic data privacy framework.

Conclusion: Groundhog Day for Data Protection Law

After Safe Harbor and Privacy Shield, the EU and the US are now trying, for the third time, to strike a long-awaited balance between the high standard set by European data protection law, on the one hand, and American mass surveillance practices, on the other hand. hand. This is anything but obvious and the likelihood of such an agreement being invalidated again by the CJEU is high. Politically, however, it is still expedient for the European Commission to try to legally secure economically important data transfers to the United States by means of an adequacy decision.

Until the final adequacy decision, European companies should continue to secure data transfers through other transfer mechanisms, including standard contractual clauses. To see here for more information on the new EU Standard Contractual Clauses.

And, even after the adoption of the upcoming -Atlantic Data Privacy Framework, European companies are advised to continue to use the Standard Contractual Clauses for data transfers to US-based companies to mitigate the high risk that the Atlantic Data Privacy Framework be invalidated. This way they can take on “Schrems III” with less hassle.