Progress on US-EU Cross-Border Data Transfers: New Agreement to Replace Privacy Shields After Schrems II Ruling

Jun 2, 2022 | Privacy & Security

Personal data between the United States and the European Union might soon be flowing smoothly again after the two jurisdictions agreed in principle to a new privacy framework.

Data transfers between the EU and the US have been problematic for some time due to a conflict between US surveillance laws and EU data protection and privacy regulations. In July 2020 the Court of Justice of the European Union invalidated Privacy Shield, an arrangement that had allowed more than 5,000 US companies to conduct transatlantic trade while complying with EU data protection rules. The landmark ruling, informally known as Schrems II after Max Schrems, the lawyer and privacy advocate who filed the original complaint against Facebook with the Irish Data Protection Commissioner, struck down Privacy Shield on the basis that US surveillance programs (signals intelligence activities such as wiretapping phone calls, SMS, and any type of data transfer) went beyond what was strictly necessary and EU citizens had no “actionable judicial redress” or effective remedy in the US. In a nutshell, Privacy Shield didn’t protect Europeans from US surveillance. The decision meant companies and regulators have had to approach data transfers on a case-by-case basis to determine whether they’re meeting EU standards, which hampers trade and increases their compliance burden. 

Further back from Privacy Shield, though, was Safe Harbor, which Europe’s top court also invalidated over “the same core clash between EU privacy rights and US surveillance laws” following a case also put by Max Schrems. Tech Crunch explained: “Putting a little more meat on the bones, the US’ prioritizing of digital surveillance — as revealed by the 2013 revelations of NSA whistleblower, Edward Snowden; and writ large in the breadth of data capture powers allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) and executive order 12,333 (which sanctions bulks collection) — collides directly with European fundamental rights which give citizens rights to privacy and data protection, as set out in the EU Charter of Fundamental Rights, the European Convention on Human Rights and specific pieces of pan-EU legislation (such as the General Data Protection Regulation).”

Facebook (cited in the Schrems case) and other big data companies like Google were particularly hard hit by the loss of smooth transatlantic data flows. Meta has threatened to shut down Facebook and Instagram in Europe over the data transfers uncertainty in recent years.

At the time of the Schrems II ruling, the International Association of Privacy Professionals (IAPP) made the point that data protection is incredibly important to global commerce, and privacy professionals play a critical role in implementing protections in line with foreign legal requirements.

What the new agreement means

The new privacy framework, agreed to in principle by the US and the European Commission, brings to a head a couple years of legal wrangling and offers the potential for easier cross-border data transfers going forward, especially for Meta and Google and the thousands of other companies that rely on smooth data flows for trade.

In announcing the new deal in late March, President Biden said, “This framework underscores our shared commitment to privacy, to data protection, and to the rule of law,” and that the flow of data would “help facilitate $7.1 trillion in economic relationships with the EU.” 

European Commission President Ursula von der Leyen added that the new agreement would “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties.” 

Nick Clegg, Meta’s president of global affairs, said the deal “will provide invaluable certainty for American and European companies of all sizes, including Meta, who rely on transferring data quickly and safely.”

Nick Clegg has previously summarized the data transfers issue in strong terms as “the global internet fragmenting”. 

Google’s president of global affairs, Kent Walker, also welcomed the development: “People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders.” 

But we’re not out of the woods on this issue yet. This new agreement is expected to be heavily tested with legal challenges, some of which Schrems himself indicates he might launch, saying the “final text” of the new agreement would take more time to come through, and that he was prepared to challenge it “if it is not in line with EU law.”

“In the end, the [EU] Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” Schrems said in a statement on the web site of his privacy non-profit noyb.

The detail as it currently stands

In the White House fact sheet on the new privacy framework, we glean some of the key detail that was missing when the deal was first announced:
  • The new agreement is officially called the Trans-Atlantic Data Privacy Framework, and promises to be “a durable and reliable legal basis for data flows”, fostering transatlantic data transfers and addressing the concerns raised in the Schrems II decision. 
  • The framework commits the US to “implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
  • The framework will benefits citizens and companies in both the US and EU. “For EU individuals, the deal includes new, high-standard commitments regarding the protection of personal data. For citizens and companies on both sides of the Atlantic, the deal will enable the continued flow of data that underpins more than $1 trillion in cross-border commerce every year, and will enable businesses of all sizes to compete in each other’s markets.” 
The White House says the United States has made “unprecedented commitments to:
  • Strengthen the privacy and civil liberties safeguards governing US signals intelligence activities;
  • Establish a new redress mechanism with independent and binding authority; and
  • Enhance its existing rigorous and layered oversight of signals intelligence activities.”

It gives examples of the new framework’s assurances such as:
  • “Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
  • US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” 

The White House says any company or organization that uses the new framework to legally protect data flows must continue to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the US Department of Commerce. EU individuals will continue to have access to “multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.”

What we think of this development

This is an important issue to be across if you do business outside the US. We believe this new privacy framework is necessary, and we’re pleased to see progress on this long-running issue.

Reading the fact sheet from the White House, it sounds like the US had to make concessions in the main areas that the EU court had issues with: US signals intelligence activities and a perception of lack of oversight and proportionality.

The requirement on companies and organizations to continue to self-certify adherence to the Privacy Shield Principles is something Anonyome Labs already does and will continue to do.

We believe Max Schrems and his privacy non-profit noyb will challenge again in the European Court of Justice. And, of course, it’s still for the US to demonstrate in practice that they’ve made real change. We hope this new agreement is not just buying a couple more years on the merry go round.

Photo by Serhii YevdokymovAnonyome Labs

You May Also Like…