US and European Commission agree to transatlantic data privacy framework

On March 25, the US and the EU announced an “agreement in principle” on a new legal framework for transfers of personal data from the EU to the US compliant with the GDPR. Agreement reflects U.S. commitment to implement new safeguards designed to address concerns that led to July 2020 agreement Schrem II decision of the Court of Justice of the European Communities (CJEU) annulling the EU adequacy decision which underpinned the Privacy Shield. Although the announcement was widely welcomed, it is still an “agreement in principle”, the details and timing of which are yet to be confirmed. Along with expressions of welcome and relief, early reactions also included a strong indication that the new provisions are likely to be challenged by privacy activists including Max Schrems and NOYB, describing “Privacy Shield 2.0” like “a lipstick on a pig”.

What is likely to change in the new agreement?

The success or failure of the new agreement will depend on the extent to which it overcomes the flaws identified by the CJEU in Schrem II. The ECJ ruled against the European Commission’s adequacy decision in favor of the Privacy Shield, concluding that data subjects were insufficiently protected against electronic surveillance or “signals intelligence” activities carried out under the authority federal government, and that those involved in these activities had no viable path. to straighten.

A White House briefing room fact sheet released on March 25 sets out the main terms of the agreement, including key measures designed to “ensure the privacy of EU personal data and create a new mechanism for EU citizens to seek redress if they believe they are unlawfully targeted by signals intelligence activities”. Specifically:

  • Signals intelligence collection may only be undertaken when necessary to advance legitimate national security objectives and must not disproportionately impact privacy and civil liberties;

  • EU citizens can seek redress through a new tiered redress mechanism that includes an independent data protection review court that would be comprised of select individuals outside of the US government who would have full authority to adjudicate complaints and order the necessary corrective measures; and

  • S. intelligence agencies will adopt procedures to ensure effective oversight of the new privacy and civil liberties standards.

Privacy Shield 2.0?

It is important to remember that Schrem II did not overrule the Privacy Shield, which has continued to operate since July 2020. On the contrary, the European Court of Justice’s ruling overturned the European Commission’s adequacy decision in favor of the Privacy Shield . Therefore, one of the main objectives of the new transatlantic data privacy framework is not to replace the Privacy Shield, but to relaunch and improve it with new mechanisms to address the flaws identified in Schrem II.

Participating companies and organizations that leverage the Framework to legally protect data streams will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles by intermediary of the United States Department of Commerce.

The language of the White House fact sheet suggests some areas likely to attract scrutiny once full details become available:

  • What degree of impact on data subjects will be considered acceptable and under what circumstances? The US government does not promise to refrain from using signals intelligence and electronic surveillance. It only promises that intelligence activity will be limited to “legitimate national security interests” and that the impact on individuals will not be “disproportionate”.

  • To what extent will the composition of the proposed Data Protection Review Court ensure that it is truly independent of the federal government?

What happens next?

It is unlikely that the US administration or the European Commission would have used such a high-profile event as the President’s visit to Poland to announce an “agreement in principle”, unless they shared a high degree of confidence in entry into force of the new framework. Obligate. On the US side, the new framework requires an executive order and therefore falls under the authority of the president. On the EU side, the Commission must follow the procedures and consultation requirements provided for in Article 45 of the GDPR. This process requires:

  • A proposal from the European Commission

  • An opinion from the European Data Protection Board

  • An endorsement from representatives of EU member states

  • Adoption of the decision by the European Commission.

Inevitably, this process takes several months and provides ample opportunity for challenge and debate. In the meantime, transfers of personal data from the EU to the US require a specific assessment of the transfer risks and consideration of a comprehensive set of safeguards including legal measures (e.g. use of standard contractual clauses), technical measures (e.g. encryption before transfer) and organizational measures (e.g. employee policies).

The British position

It is also essential to keep in mind that the EU GDPR and the UK GDPR are now separate bodies of law. Although the UK is likely to recognize and adopt the new framework, Brexit has created the possibility of divergence should the UK government decide to adopt different or more flexible rules or criteria than those applicable in the UK. EU. Therefore, in addition to monitoring the EU adequacy decision process, it will also be necessary to keep an eye on the UK government’s responses.

© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 87

Aurora J. William