The United States and European Union have an agreement in principle on a new Trans-Atlantic Data Privacy Framework to replace the EU-US Privacy Shield, which was invalidated on July 16, 2020, by the Court of Justice of the European Union in its Schrems II decision.
Many companies relied on the EU-US Privacy Shield framework for trans-Atlantic data transfers between the EU and Switzerland and the United States. The EU-US Privacy Shield was supposed to ensure compliance with data protection and privacy laws on both sides of the Atlantic. The legality of the EU-US Privacy Shield was challenged by Max Schrems, Honorary Chairman of the privacy organization noyb, with respect to the data transfers between Facebook Ireland Ltd and the United States.
The General Data Protection Regulation (GDPR) requires special safeguards to be implemented when personal data is transferred to a country outside EU. Schrems argued that the EU-US Privacy Shield failed to satisfy the requirements of the GDPR, as there was an inadequate level of protection for personal data as once personal data had been transferred to the US, it could be accessed under US government surveillance programs. The USA does not have a national data protection law, with the HIPAA laws being the closest in terms of data protection.
On March 25, 2022, almost two years after the invalidation of the EU-US Privacy Shield, a joint announcement was made by the EU Commission and the United States that an agreement in principle had been reached on a replacement framework, dubbed the Trans-Atlantic Data Privacy Framework, which would personal data to be freely transferred between the EU and US which addressed the issues raised in the Schrems II case. “The new Framework marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities,” according to a White House statement.
The United States has agreed to implement new safeguards that will ensure that any surveillance activities are “necessary and proportionate” to the national security objectives of the United States, and that there will be a new, “two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.”
The announcement was brief and light on detail, and it appears that while an agreement in principle has been reached, the actual Trans-Atlantic Data Privacy Framework has yet to be translated into written legal documents and no timeframe has been provided on when the new framework will be made public.
Max Schrems and noyb immediately criticized the announcement, claiming it was a purely political announcement and that lawyers on both sides have yet to find solutions that address the issues at the heart of the Schrems II case. “We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter,” said Schrems.
Schrems plans to analyze the text in detail to determine whether it is fully compliant with the GDPR when it is made public and said the Trans-Atlantic Data Privacy Framework will be challenged if it is not in line with EU law.