The EU-US data transfer saga continues. Despite two historical decisions of the Court of Justice of the EU (CJEU) invalidating the data transfer mechanisms put in place by Brussels and Washington, the two partners have recently announced a third attempt to introduce a framework for transatlantic data transfer. On 25 March, US President Biden, on the occasion of a formal visit to Brussels, announced with EU Commission President Von der Leyen the conclusion of an agreement ‘in principle’ for the establishment of a new Transatlantic Data Privacy Framework.
The announcement occurs more than one year after the CJEU invalidated the Privacy Shield, the data transfer mechanism put in place in 2016 to allow the free transfer of personal data from the EU to the US. This news was much anticipated, especially by multinational tech companies who heavily rely on data transfers across the Atlantic and that in 2020 saw for the second time the legal basis for their transfer of personal data to the US invalidated by the CJEU.
The troubled life of EU-US data transfers: 2000-2021
Data transfers between EU and US have witnessed challenging times in the past decade. The US is the EU’s main commercial partner. Data transfer from the EU to the US underpins a multibillion trade relationship between the two parties. The US is considered as a ‘third country’ from a data protection perspective, meaning that transfers of personal data from the EU must satisfy specific requirements set in the General Data Protection Regulation (GDPR). The logic behind the rules included in the GDPR is to ensure that countries receiving EU personal data offer an ‘adequate’, but not necessarily identical, level of data protection. The US, despite its cultural proximity to Europe, never satisfied that requirement on a general basis, due to its piecemeal approach to regulating data privacy. However, in 2000, the EU recognised the adequacy of the Safe Harbour scheme, a system whereby US companies could self-certify their compliance with a series of data privacy principles to the US Departments of Commerce and Transportation. Despite frequent criticism of the effective level of data protection offered by the scheme, Safe Harbour remained in place for 15 years, until 2015 when it was invalidated by the CJEU.
In 2013, former CIA employee Edward Snowden revealed a vast system of mass surveillance, especially targeting non-US citizens. Austrian privacy activist Max Schrems filed a complaint against Facebook before the Irish Data Protection Commission out of concern for the potential access by US law enforcement and intelligence authorities to personal data transferred by the company to its American servers. In 2015, in the seminal Schrems I case, the CJEU invalidated the EU Commission’s decision recognizing the adequacy of the Safe Harbour scheme.
Since then, EU-US data transfers have been subject to an increasing level of scrutiny. In 2020, in a case once again initiated by Mr Schrems, the CJEU invalidated the Privacy Shield, which was the mechanism introduced to replace the Safe Harbour agreement. The extensive opportunities for US law enforcement and intelligence authorities to access EU personal data in the name of public and national security were highlighted as a continuing cause of concern for the EU, which remained unaddressed after the first Schrems decision.
The new proposed framework
Since July 2020, companies willing to transfer data from the EU to the US have had to resort to alternative mechanisms of data transfer, such as binding corporate rules and standard contractual clauses, both requiring a significant amount of work on behalf of the company to be put in place. In light of the pressing need to find a solution to allow personal data transfers to the EU’s largest commercial partner, and in conjunction with recent geopolitical developments which see the EU and the US standing together against Russia in the aftermath of the invasion of Ukraine, both parties have committed to intensify the ongoing negotiations in order to establish a new data transfer mechanism soon.
However, apart from the name of the future transfer mechanism – ‘Transatlantic Data Privacy Framework’ – little is known about the details of the new legal arrangements. According to the factsheet published by the EU Commission, the framework should be based on the same self-certification mechanism characterising the Safe Harbour and Privacy Shield. It will therefore involve only selected companies on the US side, and it will not lead to the adoption of a general adequacy determination by the EU Commission, making it limited to those companies that will adhere to the scheme. What is new is that the US has committed to introduce binding rules to regulate access to EU personal data by intelligence authorities, paying particular attention to respecting the necessity and proportionality principles, as demanded by the CJEU. The US is also supposed to establish an oversight mechanism monitoring the activities of intelligence authorities in relation to their access to data originating from the EU and a new two-tiered redress system, including a ‘data protection review court’ which will be available to all EU residents.
Criticism and open questions
Despite all good intentions to establish a ‘durable and reliable’ legal basis for future transatlantic data transfers, it is too soon to judge whether the new framework will have a longer life than its predecessors. As Mr Schrems stressed in a note commenting on the announcement of the agreement between the EU and the US, the current proposal lacks a detailed explanation of how it intends to achieve its stated objectives. At first sight, it certainly seems to tick the various boxes highlighted by the CJEU in its two Schrems decisions. However, some open questions related to the effective implementation of the framework remain.
In particular, a final word on the framework cannot be said until the US makes clear how they intend to introduce binding rules for their intelligence authorities. US President Biden announced the adoption of an executive order, but one can argue that a more systematic piece of legislation regulating various activities of law enforcement and intelligence agencies would be needed. Secondly, the effectiveness of the proposed two-tiered redress mechanism for EU citizens remains to be carefully assessed from various points of view. Indeed, EU residents should be put in a position not only to know about a potential access to their personal data by US law enforcement and intelligence authorities, but also how to effectively exercise their right to complain before the relevant US adjudicating bodies. One pertinent issue, for example, pertains to the language that data subjects will have to use to seek redress in the US, given that English is spoken in only two EU countries, namely Ireland and Malta.
In sum, if it is still too soon to conduct a full assessment of the new Transatlantic Data Privacy Framework, one can confidently affirm that the EU-US data transfer issue is anything but settled.