EU and US officials are seeking to develop a new framework to support the free flow of personal data between the EU and US following a ruling by the EU’s highest court in 2020.
The Court of Justice of the EU (CJEU) assessed claims that the US did not provide adequate protection to personal data transferred from the EU against intrusions resulting from the surveillance activities practised by US public authorities. It ruled that a previous data transfers framework, the EU-US Privacy Shield, was invalid and it further confirmed the due diligence exercise businesses must complete to satisfy themselves that their plans to transfer data to the US and any other ‘third’ country comply with EU data protection law.
The CJEU’s judgment in the so-called ‘Schrems II’ case means that organisations need to be aware of local laws in other jurisdictions to determine whether they contradict the protections that can be applied by contract, and act to apply supplementary measures to ensure the required level of protection, or prohibit, suspend or terminate data transfers in cases where that is not possible.
The European Commission and White House said the new transatlantic data privacy framework will “foster” EU-US data flows and “address the concerns raised” in the CJEU’s Schrems II decision.
The formal legal text of the framework has not yet been published, but the White House said that businesses that want to benefit from the new framework will have to adhere and self-certify to the Privacy Shield principles, which underpinned the EU-US Privacy Shield. Both it and the Commission were also keen to highlight “new safeguards” they said have been built into the framework.
According to the White House, US intelligence gathering activities will be limited to what is “necessary to advance legitimate national security objectives” and “must not disproportionately impact the protection of individual privacy and civil liberties”. The concepts of necessity and proportionality are common in EU law. It said US intelligence agencies will also “adopt procedures to ensure effective oversight of new privacy and civil liberties standards”.
There is an intention to provide data subjects in the EU with rights to seek redress in relation to the handling of their data by US authorities, including via “an independent Data Protection Review Court” which the White House said “would consist of individuals chosen from outside the US government who would have full authority to adjudicate claims and direct remedial measures as needed”.
Amsterdam-based Andre Walter of Pinsent Masons said: “While the announcement of a new transatlantic data privacy framework is welcome, it lacks the detail that businesses will be looking for to understand how the new framework addresses the concerns of the CJEU from its Schrems II decision.”
“One of the main issues identified by the CJEU in its Schrems II decision was the right to an effective remedy. An ombudsperson was appointed by the US to address complaints raised about US authorities' access to EU citizens' data under the Privacy Shield. It appears that a court will be involved under the new redress mechanism for the new framework. The question of judicial independence will be one of the most critical factors in whether the new framework survives a legal challenge, which looks set to follow,” he said.
“We do not yet know how the new commitments around oversight and redress will look in practice and there is also no indication of how long it might take for the framework to be finalised and then given legal effect. For businesses, there is also a timing issue in respect of compliance. They have a major contract remediation project to engage in in respect of data processing to transition to new standard contractual clauses the European Commission has developed before the end of the year. There is no time to wait for the new Privacy Shield 2.0 and hope it supersedes the need for SCCs,” he said.
Max Schrems, honorary chairman of noyb, a privacy campaign group, said: "The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”
"It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty,” he added.
Schrems led the legal challenges that brought down the EU-US Privacy Shield and the EU-US Safe Harbor scheme that pre-dated it.
