On March 25, 2022, US President Joe Biden and European Commission President Ursula von der Leyen made the long-awaited announcement that the United States and the European Union have agreed, in principle, to the Trans-Atlantic Data Privacy Framework (the Framework), after more than a year of negotiations. The White House and the European Commission emphasized that the agreement would facilitate trans-Atlantic data flows while bolstering privacy and civil liberties protections applicable to US signals intelligence activities. The two sides also sketched out the initial contours of the Framework. See the White House’s fact sheet here and the European Commission’s fact sheet here. The Framework is ultimately intended to replace the Privacy Shield, which the Court of Justice of the European Union (CJEU) deemed to be inconsistent with EU law and therefore invalid in July 2020.
So far, the Framework is merely an agreement in principle—many details must be negotiated and codified in a final agreement. The two sides confirmed that they will now translate their understanding into legal documents that will need to be adopted by both sides. Once the details are finalized, the United States plans to incorporate its commitments into an Executive Order, which the European Commission will then use as the basis of an adequacy decision. While the drafting and implementation process entails uncertainties, the Framework is a major and very positive development for trans-Atlantic data transfers.
For now, companies should continue to ensure they have a legal basis and valid data transfer mechanisms, including but not limited to Standard Contractual Clauses (SCCs), in place for transfers of personal data out of the European Union. The White House’s fact sheet notes that in order to use the Framework, entities will need to adhere to the Privacy Shield principles and self-certify their adherence through the US Department of Commerce. Certification to the Department of Commerce was also required under the last Privacy Shield, and nothing in the press release suggests that the principles will be changed. Companies should thus consider adhering to the current Privacy Shield principles (though they should be aware that the Federal Trade Commission will hold them to these representations, as they did recently to a company in this case.)
Invalidation of Privacy Shield 1.0
The Framework was necessitated by the July 2020 decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II). Schrems II narrowed the options available to entities making international data transfers and created uncertainty regarding what additional safeguards entities would need to adopt when relying on one of the remaining options. After the CJEU had held in 2015 that the US-EU Safe Harbor was inconsistent with EU law, the European Commission and the US Department of Commerce established the trans-Atlantic framework known as the Privacy Shield. By self-certifying to the Privacy Shield principles—a set of 23 principles, including notice, choice and access—US companies would have “adequate” privacy protection and be able to receive data from EU entities. In Schrems II, however, the CJEU ruled that the Privacy Shield also does not pass muster under EU law. The CJEU reasoned that the Privacy Shield does not ensure adequate protection required under the GDPR because US law does not contain sufficient limitations on the power to implement surveillance programs, and the adherence to Privacy Shield principles could be limited by the pursuit of national security interests. The CJEU also noted that there was no adequate judicial protection against interference or redress for data subjects.
The CJEU’s decision in Schrems II is arguably in tension with the European Union’s commitments under the WTO’s General Agreement in Trade in Services (GATS), insofar as it threatens the ability of US companies to supply certain cross-border services to the European Union. The European Union has committed under the GATS to accord nondiscriminatory treatment to US service suppliers vis-à-vis EU and third-country suppliers in various service sectors that Schrems II implicates, such as computer and related services. Limitations on cross-border data transfers by US companies that do not apply equally to similar EU and third-country suppliers are likely inconsistent with these commitments. Notably, it appears that the European Union does not apply the same scrutiny to EU Member State and third-country surveillance laws that it applies to US laws.
Overview of the Framework
The new Framework—once it is finalized and implemented—will hopefully resolve the legal uncertainties shadowing EU-US data flows since the Schrems II decision. In their announcement of the agreement in principle, the White House and the European Commission characterized the Framework as an “unprecedented commitment” to strengthen the privacy and civil liberties safeguards governing US signals intelligence activities, addressing the concerns raised by the CJEU in Schrems II.
The two sides cited three examples. First, the United States will limit the use of signals intelligence activities to when it is “necessary to advance legitimate national security objectives,” and ensure that it does not “disproportionately” impact privacy and civil liberties. Second, the United States will grant EU individuals the ability to seek redress “from a new multi-layer redress mechanism” that will include an adjudicatory body, known as the independent Data Protection Review Court. The Data Protection Review Court—whose members would not be US government officials—would have full authority to decide claims and to “direct remedial measures.” Third, the United States will “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.”
Further details on the Framework, however, remain to be seen. And an adequacy decision will not be made until the Framework is translated into an Executive Order by the United States. In addition, a challenge of the Framework in the CJEU appears inevitable.
Potential Implications for Trans-Atlantic Digital Trade
After almost two years of devising complicated legal arrangements to facilitate trans-Atlantic data transfers, companies may soon be able to rely on a simpler framework to conduct cross-border data transfers. The announcement is a welcome development from the perspective of overall US-EU trade relations, as it has the potential to resolve what would otherwise have become a significant US-EU trade dispute.
Its effect may be limited, however, by the European Union’s broader desire for “digital sovereignty.” In fact, within a few hours of the Framework announcement, the European Union passed the Digital Markets Act, a significant new digital trade regulation that US Commerce Secretary Gina Raimondo has described as discriminatory toward US companies. It is unclear how the European Union’s focus on digital sovereignty will affect any final agreement between the United States and the European Union regarding the Framework.
We will continue to monitor changes in privacy law and its impact on trans-Atlantic digital trade.