Towards 'Privacy Shield 2.0': Back to normal for US data transfers?
On 25 March 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced that they have reached a preliminary agreement which will foster trans-Atlantic data flows and (allegedly) address the concerns raised by the Court of Justice of the European Union (CJEU) in the 'Schrems II' decision of 16 July 2020 invalidating the Privacy Shield (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/18).
Since the 'Schrems II' ruling (See our article: European Court of Justice renders new Schrems decision on international data transfers ), transfers of personal data to countries located outside the European Economic Area (EEA) that do not offer a protection equivalent to that of the European Union (such as the US) are highly restricted. In particular, 'Schrems II' invalidated the Privacy Shield (legal framework enabling personal data transfers to the US, provided that the data recipient in the US was self-certified with US authorities). Therefore, since 'Schrems II', alternative routes have to be used to transfer data to the US, such as the so-called 'standard contractual clauses' to be accompanied by 'appropriate supplementary measures' if the relevant transfer raises issues in terms of EU data protection once the data are in the US. ( See our more detailed briefing: US and EU Agree on Framework for Privacy Shield Replacement )
This amounts to burdensome assessments, onerous undertakings and legal uncertainty. Lawfulness of data transfers to the US is currently very fragile. For instance, Google Analytics has been declared illegal notably in France and Austria because of the data transfers to the US it entails [See our article: Google Analytics declared illegal in France ] For the same reasons, decisions from EU supervisory authorities on the lawfulness of other tools, such as Facebook Connect, are expected. The new political agreement, the so-called Trans-Atlantic Data Privacy Framework (TADPF), aims to implement a new self-certification mechanism, which may ease transatlantic data flows.
Key points of the agreement
The preliminary agreement between the EU and the US has not been backed up yet with a legal text. However, the White House has announced in a press release that the US made "unprecedented commitments". More details on the agreement were disclosed by the European Commission which notably specifies that the US promises will be included in an Executive Order that will form the basis of a draft European Commission adequacy decision. The statement from the European Commission revealed that under the new TADPF the US would undertake:
- To implement new safeguards to limit access to data by US surveillance agencies to what is necessary and proportionate in the pursuit of defined national security objectives.
- To establish a two-tier redress system to investigate and resolve complaints of EU individuals on access of data by US surveillance agencies, which includes an independent Data Protection Review Court.
- To enhance oversight of intelligence activities.
Despite those encouraging signals, it remains to be seen if the US commitments under the TADPF will satisfy GDPR requirements, in particular as interpreted by the CJEU.
Moreover, the effectiveness of recourses before the new Data Protection Review Court will likely be key in terms of legal sustainability of the TADPF. Some privacy advocates have argued that the March 2022 US Supreme Court decision in FBI v. Fazaga would make it more difficult for the US and EU to reach a lasting agreement that would withstand a challenge before the CJEU. In Fazaga, the Court ruled that the US Federal government could invoke its state-secret privilege to prevent disclosure of information to individuals who claimed they had been subject to illegal surveillance from US authorities under the Foreign Intelligence Surveillance Act (FISA). One of the key issues discussed in 'Schrems II ' was the broad scope of surveillance under FISA, and Fazaga may reinforce such concerns when the CJEU inevitably reviews whether TADPF satisfies the GDPR.
Although such political agreement has been welcomed by EU and US companies, it has given rise to more cautious reactions, both from data regulators, and from privacy advocates.
Maximilian Schrems, lead litigant in the CJEU's decisions 'Schrems I' and 'Schrems II' and founder of the NOYB association, declared that once the final text of the framework is published, NOYB or another activist group will likely challenge the TADPF before the CJEU if it does not comply with EU law.
Furthermore, on 6 April 2022, the European Data Protection Board (EDPB) released a statement on the announcement and welcomed this preliminary agreement. However, it underlined its willingness to pay special attention to "how this political agreement translates into concrete legal proposals", respecting EU law, CJEU case law and previous recommendations the EDPB issued on that basis. In particular, the EDPB specified that it will particularly analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate, and how the announced independent redress mechanism including the Data Protection Review Court will respect EEA individuals’ right to an effective remedy and to a fair trial. More specifically, the EDPB said that it would assess whether the Data Protection Review Court has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB also said it would consider whether there is a judicial remedy against this Court’s decisions or inaction.
Some EU supervisory authorities, such as Danish and Swedish regulators, reacted to this announcement by reminding companies that everything remains 'as is' for the time being. The political agreement does not constitute a legal framework on the basis of which EEA data exporters can transfer data to the US, and data exporters must therefore continue taking the necessary actions to comply with the case law of the CJEU, in particular with the 'Schrems II' decision. Furthermore, companies using 'standard contractual clauses' to carry out their transfers should bear in mind that they have until 27 December 2022 to upgrade their documentation with the new templates issued by the European Commission.
The European Commission and the US Government will now have to work on translating this agreement 'in principle' into concrete legal documentation. Before entering into force, the agreement will go through an entire European approval process. This process has historically taken several months (e.g. five months for the adoption of the Privacy Shield in 2016 and four months in the case of the UK adequacy). A final version of the TADPF is therefore not expected for a few months. It is then assumed that an adequacy decision will not be adopted until at least the end of 2022.