On 25 March 2022, the European Commission and the United States announced in various statements that they have reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework. The statements from the EU Commission can be found here, here and here; the statement from the US White House can be found here.
This agreement should overcome the concerns raised by the CJEU in the Schrems II judgment, where the CJEU invalidated the EU-US Privacy Shield and stated that the US did not provide a level of data protection that was “essentially equivalent” to that provided within the EU, as the US law enforcement and intelligence agencies’ level of access to EU personal data was too broad and as EU residents were not provided with any effective legal remedies. The agreement should thus become the new basis to facilitate “predictable and trustworthy data flows” between the EU and the US.
Both the EU Commission and the US have published factsheets summarising the key elements of the agreement. According to these factsheets, the Framework will ensure that:
- data will be able to flow freely and safely between the EU and certified US companies;
- a new set of rules and binding safeguards is adopted to limit signals intelligence (i.e. intelligence gathered through the interception of electronic signals) collection and access to EU personal data to what is necessary to advance legitimate national security objectives; US intelligence agencies will adopt procedures to ensure that such collection cannot have a disproportionate impact on the protection of individual privacy and civil liberties;
- a new two-tier redress mechanism is provided to investigate and resolve complaints by EU individuals concerning accessing of data by US intelligence authorities. EU citizens may seek redress through an independent Data Protection Review Court; and
- specific monitoring and review mechanisms are adopted by US intelligence agencies to ensure effective oversight of new privacy and civil liberties standards.
The new Privacy Framework will continue to impose strong obligations on US companies processing EU personal data, whereby companies will again need to self-certify their adherence to the EU-US Privacy Shield Principles through the US Department of Commerce.
The text of the deal is not yet available. The agreement will now have to be converted into an adequacy decision on the EU side and an executive order on the US side. Even though the agreement is very much welcomed by the industry, as data flows will be enabled and obstacles will be removed, there is considerable scepticism as to whether this agreement will really overcome the issues arising from the US surveillance laws. The question also remains whether the new agreement will stand firm against a – quite probable – new challenge by Schrems and NOYB.
In the meantime, the lessons from the Schrems II judgment continue to apply. Companies still have to perform data transfer impact assessments if they want to rely on Standard Contractual Clauses as a transfer mechanism for data transfers to the US. For more information, see our previous article.