A new Trans-Atlantic Data Privacy Framework has been agreed in principle between the European Commission of the European Union and the United States that will replace the EU-US Privacy Shield, which in 2020 was deemed to be in violation of the General Data Protection Regulation (GDPR).
The main issue with the EU-US Privacy Shield was it did not fully protect the personal data of EU citizens, as personal data could be provided to U.S. law enforcement agencies without the consent of the data subjects. In 2020, the Schrems II decision by the Court of Justice of the European Union (CJEU) rendered the EU-US Privacy Shield invalid.
The Schrems II decision caused problems for companies that engage in data transfers between the EU and the United States and had major implications for businesses that use US-based cloud services in connection with the personal data of EU citizens. This was not the first time that data transfer mechanisms have been invalidated. The predecessor to the EU-US Privacy Shield, the US-EU Safe Harbor, was also invalidated. A replacement for the EU-US Privacy Shield was long overdue.
A new cross-border data-flow agreement was required to replace the EU-US Privacy Shield that covers bulk cross-border data transfers that support more than $1 trillion in cross-border commerce every year, such as the data transfers performed by big tech companies such as Google.
The problem with devising a new framework is the legal systems in place in Europe and the United States are very different. It has taken more than a year of negotiations between the US and Europe to arrive at this point. The agreement in principle does not mean that a permanent solution has now been found, as there are likely to be legal challenges to the new mechanism; however, it is a step in the right direction.
Under the new framework, the United States will implement additional safeguards to ensure that any signals surveillance activities are necessary and proportionate to its national security objectives. The framework will involve a two-level independent redress mechanism with binding authority that will direct remedial measures and ensure rigorous and layered oversight of signals intelligence activities while placing limits on surveillance activities. Should EU citizens believe they have been unlawfully targeted by signals intelligence activities, there will be a clear mechanism for them to seek redress.
“I’m very pleased that we have found an agreement in principle on a new framework for trans-Atlantic data flows. This will enable predictable, trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties,” said European Commission President Ursula von der Leyen.
“[The Framework] marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities,” said President Biden.
While President Biden and Ursula von der Leyen appear happy with the progress that has been made, the new framework – the text for which has yet to be written and released – has already attracted criticism in Brussels and from Max Schrems, whose challenge to the EU-US Privacy Shield resulted in its invalidation.
“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move,” said Schrems. “It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”
Schrems said he will be analyzing the new framework in-depth and will challenge the legality if he and his team determine it is not in line with EU law.