Schrems II resolved? Unpacking the EU-US Trans-Atlantic Data Privacy Framework
Invalidation of the Privacy Shield
In July 2020, the CJEU invalidated the EU-US Privacy Shield framework in a preliminary hearing for the Schrems II case, where privacy activist Maximillian Schrems was pursuing Facebook in Ireland over their personal data transfers to the US.
The Privacy Shield was the safeguard mechanism for personal data transfers from the EEA to the US, whereby a US company certified under the framework was allowed to receive EEA personal data without having to rely on another mechanism under Chapter 5 of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), such as entering into the Standard Contractual Clauses.
Eventually, after having only been in existence for four years, the regime was invalidated due to the wide data capture powers allowed under US national security legislation, namely Section 702 of the Foreign Intelligence Surveillance Act (known as FISA) and Executive Order 12333, contradicting Europe’s notion of fundamental rights under the EU Charter of Fundamental Rights (‘EU Charter’), and as a result, the GDPR.
It was also held that framework did not provide for sufficient mechanisms to reconcile this conflict between US surveillance laws and EU privacy laws. Importantly, the Ombudsman mechanism in place in the US was deemed to not be of “essential equivalence” with the mechanisms afforded under the GDPR and the EU Charter.
The New Trans-Atlantic Data Privacy Framework
Now, after a year of detailed negotiations between the US and the European Commission, led by the Commissioner for Justice Didier Reynders and the US Secretary of Commerce Gina Raimondo, the two sides have come to an agreement in principle on the Framework.
Necessary and proportionate signals intelligence collection:
Under the Framework, the US will put in place new safeguards to ensure that signals surveillance activities will meet the requirements of being necessary and proportionate in the pursuit of defined national security objectives. Such processing of EEA personal data must not disproportionately impact the protection of individual privacy and civil liberties, bringing the US regime more in line with that of the EU.
Two-tier redress mechanism:
The US will also establish a two-tier independent redress mechanism with binding authority to direct remedial measures. This is in direct response to the concerns of the CJEU over the Ombudsman mechanism and its lack of equivalence to the right of effective remedy before a tribunal provided by Article 47 of the EU Charter.
This two-tier redress system will include the creation of an independent Data Protection Review Court (the ‘Court’), with the aim of investigating and resolving complaints by EU residents of access of their personal data by US intelligence authorities. This Court will consist of individuals chosen from outside of the US Government who will have full authority to adjudicate claims and direct remedial measures as required.
Intelligence agencies to adopt new procedures
Finally, the US will also commit to enhancing rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.
However, the requirement for companies to self-certify their adherence to principles through the US Department of Commerce, as per the previous Privacy Shield regime, will continue.
Will this be adequate in light of the Schrems II decision?
In its fact sheet announcing the agreement in principle, the Biden administration stated that there are more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion US-EU economic relationship. The disruption caused by the Schrems II outcome has indeed taken a toll on this relationship in terms of personal data transfers.
Companies in both the US and the EU know this all too well, having spent nearly two years relying on alternative transfer mechanisms, such as the Standard Contractual Clauses, which has more recently included the requirement of conducting transfer impact assessments.
Therefore, the announcement of this agreement in principle is very much welcomed by such companies. However, it has also been met with scepticism by some members of the privacy community.
Critics argue that the chink in the armour of the new Framework will be the fact that the new measures shall be implemented by way of an Executive Order (which are directives from the President of the US) as opposed to through the passing of primary legislation by the US Congress.
This could pose an issue in particular for the operation of the new redress mechanism (namely, the Court), its independence from the US Executive and the enforceability of its remedies against US intelligence authorities, who have their surveillance rights embedded in federal primary law.
However, time will tell if this new Framework meets the standards required under the GDPR, if (or when) the new regime is put in front of the CJEU.
For the time being, this agreement in principle still needs to be translated into legal documentation, which includes the drafting of an Executive Order on the US side that will form the basis of the draft adequacy decision by the European Commission.
Article provided by INPLP members: Anthi Pesmazoglou and Komal Shemar (Gerrish Legal SARL, France)
Dr. Tobias Höllwarth (Managing Director INPLP)