Data Protection Law
A new data privacy framework has been agreed in principle by the European Commission and the United States according to a joint statement published on 25 March 2022.
This follows on from the ECJ’s decision in Schrems II in 2020 which ruled the previous data sharing agreement between the EU and the US (the Privacy Shield) invalid. The court assessed claims that the US did not provide adequate protection to personal data transferred from the EU against intrusions resulting from the surveillance activities practised by US public authorities.
Can we rely on the new data privacy framework right now?
No, we will have to wait for the data privacy framework to be implemented. Following Schrems II (and until the Data Privacy Framework is implemented) the most common way for organisations to effect data transfers between the EU and the US is by using a data transfer contract that contains standard clauses pre-approved by the European Commission and, if necessary, adopting additional safeguards beyond the standard clauses if those clauses do not ensure adequate data protection for the transferred data taking into account the risks of the US surveillance regime being able to access that data.
Data Privacy Framework fact sheet
The announcement about the new data privacy framework included a fact sheet which provides an overview of what the new data privacy framework will include:
• Provisions enabling data to be able to flow freely and safely between the EU and participating U.S. companies.
• A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security.
• A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court.
• Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.
• Specific monitoring and review mechanisms.
According to the White House, US intelligence gathering activities will be limited to what is “necessary to advance legitimate national security objectives” and “must not disproportionately impact the protection of individual privacy and civil liberties”. The concepts of necessity and proportionality are common in EU law. It said US intelligence agencies will also “adopt procedures to ensure effective oversight of new privacy and civil liberties standards”.
European Data Protection Board
On 7 April 2022 the European Data Protection Board issued a press statement welcoming the announcement of the new data privacy framework but with caution.
The EDPB said that it would pay particular attention to:
• Whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate.
• How the independent redress mechanism respects individuals’ rights to an effective remedy and to a fair trial.
• Whether any new authority has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services.
• Whether there is a judicial remedy against the new authority’s decisions or inaction.
What are the next steps?
The agreement in principle will need to be incorporated into legally binding documents. An Executive Order in the US will form the basis of a draft adequacy decision by the Commission which will then need to follow the formal adoption process under the GDPR. It may therefore be some time before organisations can rely on the new data privacy framework.
The new data privacy framework will not apply to transfers from the UK to the US. One hopes that the ICO, if it doesn’t agree adequacy arrangements before the new framework is in place will do so as soon as that happens.
And finally: even once the new framework becomes law it may not last in its current state for long. Max Schrems, who brought the Schrems II case, said the “final text” of the new agreement would take more time to come through and added he’s prepared to challenge it “if it is not in line with EU law.” “In the end, the [EU] Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” Schrems said in a statement.
EM law specialises in technology and data protection law. Get in touch if you need advice on data protection law or compliance or if you have any questions on the above.