Following the European Commission’s (“EC”) announcement of the new Trans-Atlantic Data Privacy Framework (the “Framework”) earlier this year, Lawyer and privacy activist Max Schrems’ organisation, NOYB, recently issued an open letter to EU and US officials arguing that the proposed framework is unlikely to withstand legal challenge and overly resembles its predecessor, the now-defunct Privacy Shield.
In this article, we set out what we know about the Framework so far.
The Framework is intended to enable data transfers to be made from the EU to participating US companies in a safe and secure manner, presumably without the need for additional safeguards (e.g. entry into standard contractual clauses (“SCCs“) and the more recent accompanying requirement to conduct transfer impact assessments (“TIAs“)) and in a way that was possible when the Safe Harbour scheme and Privacy Shield were still valid.
By way of a recap, the Safe Harbour scheme allowed US participating companies to self-certify that they adhered to seven key data protection principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and complied with various EU-focussed data privacy requirements. However, in 2015, the Court of Justice for the European Union (“ECJ“) ruled that the US Safe Harbour Scheme was invalid (Schrems v DPC) on the grounds that it did not provide EU citizens with a clear mechanism of redress for data privacy concerns and permitted excessive access by US authorities to the personal data of such EU citizens.
After the Safe Harbour scheme was invalidated, the EC and US Department of Commerce passed the EU-US Privacy Shield, which built upon the Safe Harbour scheme in a number of ways with the aim of improving the level of protection afforded to the personal data of EU citizens. However, following the Schrems II decision in 2020, the Privacy Shield regime was also ruled invalid on the basis of, amongst other things, its failure to limit data surveillance powers by US authorities and to provide data subjects with the means to seek effective judicial remedy before an independent body that could offer guarantees in line with EU law.
What will the new framework include?
The Framework will reportedly build upon the structure of the Privacy Shield regime and will focus on several key principles and actions. The Framework will:
- apply new safeguarding measures to ensure that access to data by US intelligence authorities is limited to what is necessary and proportionate and will only be used in pursuit of defined national security objectives (this has, however, been challenged by NOYB, which highlighted the finding in the Schrems I and II judgments that practices under US surveillance laws are rarely limited to what is necessary and proportionate);
- establish a two-tier redress mechanism, providing EU citizens with direct remedial measures through a newly established Data Protection Review Court (“DPRC”) to resolve complaints regarding access of data by U.S. intelligence authorities (this has also been challenged by NOYB which contends that this only provides the illusion of redress as US authorities will likely review the DPRC’s decisions and it is unlikely that the US will be required to disclose any surveillance operations which amount to ‘state secrets’, leaving data subjects unaware of these activities and unable to challenge them);
- require US intelligence agencies to implement effective procedures to ensure oversight over new privacy and civil liberties standards; and
- require organisations that wish to rely on the Framework to legally protect data flows to continue to follow the Privacy Shield principles including by self-certifying their adherence to these principles through the U.S. Department of Commerce.
How does the new framework interact with the current issues surrounding the transfer of personal data to the US in the context of services provided by US tech companies?
The development of the Framework is taking place against the backdrop of a growing number of data protection authorities across the EU ruling (or at the very least warning) against the use of data processing tools operated by large US-based tech companies which involve the transfer of personal data to the US. These rulings were triggered in part by NOYB, who filed the underlying complaint.
These rulings centre around the use of such tools (e.g. web analytics tools) resulting in user data, including device IP addresses, being transferred to the US in the absence of necessary safeguards, with EU data protection authorities finding the protections applied insufficient for the purposes of addressing the requirements of EU data protection legislation. One of the key reasons cited for this is the ability of US intelligence agencies to access transferred personal data under US surveillance laws.
The addition of the requirement to conduct TIAs and obligations on third country recipients of personal data to provide information about government access requests (where legally possible) to the new SCCs should assist organisations with the identification of supplementary measures to address the risks associated with transferring personal data to the US in the course of using these tools (e.g. activation of IP anonymisation features, obtaining consent from users for the use of their data for analytics purposes and making international transfers of their data in a cookie banner). However, putting these measures in place might not serve to fully mitigate the risks associated with transferring personal data to the US in the eyes of EU data protection authorities.
In light of this, a new data transfer framework that addresses these concerns and all of the issues that caused both the Safe Harbour scheme and Privacy Shield regime to be struck down will be a welcome development for US-based tech companies and the extremely broad base of EU-based customers that use their tools.
Currently, the US Government and the EC are working towards translating the proposed Framework into legal documents that can be adopted on both sides. Until the substantive terms of the agreement reached between the US and the EC have been published, there is still a degree of uncertainty as to whether it will sufficiently address issues raised by the Schrems II ruling (and whether NOYB’s concerns are founded) or the concerns expressed by data protection authorities across the EU in relation to the transfer of personal data to the US. As such, it remains to be seen whether this latest EU-US transfer mechanism will amount to an effective data transfer mechanism or whether it will meet the same fate as its predecessors. However, some form of legal challenge in the future seems almost inevitable.