A political solution for data transfers to the U.S. is on the horizon

Germany

The EU and U.S. have announced the Trans-Atlantic Data Privacy Framework as a new edition of the Privacy Shield Framework that was repealed by Schrems II.

After a long dry spell due to the Schrems II ruling by the European Court of Justice (ECJ) on 16 July 2020 (C-311/18), a new adequacy decision for data transfers to the U.S. is now on the horizon, which will once again allow the controller to transfer personal data to U.S. companies in a legally secure and unbureaucratic manner. U.S. President Biden and EU Commission President von der Leyen announced an agreement on a "Trans-Atlantic Data Privacy Framework" on Friday, 25 March 2022. This strengthens the Privacy Shield Framework repealed in "Schrems II".

Background: the protection against U.S. intelligence services provided under the Privacy Shield was insufficient

The Privacy Shield Framework allowed controllers in the EU to transfer personal data to the U.S. without entering into standard contractual clauses if the respective U.S. company had certified itself under the Privacy Shield. This in itself was a reaction to the overturning of the predecessor "Safe Harbour Decision" in Schrems I (C-362/14).

In "Schrems II", the ECJ also declared the Privacy Shield Framework invalid. Self-certification, by its very nature, would not prevent U.S. intelligence agencies from misusing the personal data transmitted for their mass surveillance purposes. This mass surveillance is a violation of the fundamental rights of the data subjects and of the minimum guarantees of the rule of law.

The Privacy Shield did provide for the establishment of an umpire for complaints by EU data subjects against surveillance by U.S. intelligence agencies as an additional rule of law guarantee. However, this did not meet the requirements of the ECJ, which considers an private right of action by persons under surveillance before independent courts to be the minimum required by the rule of law.

Content of the Trans-Atlantic Data Privacy Framework: independent complaints body for EU citizens and continued self-certification

The content of the Trans-Atlantic Data Privacy Framework has not yet been finalised. The EU Commission and the U.S. government are currently only talking about an "agreement in principle".

Most of the details known so far are contained in the U.S. government's press release:

  • Instead of the ombudsperson of the previous Privacy Shield Framework, the Trans-Atlantic Data Privacy Framework will create a quasi-judicial, two-tiered body to rule on complaints from EU data subjects. The panel will be empowered to comprehensively investigate and order binding remedial action. Although it is not part of the judiciary, it should be as independent as possible. In particular, it will be composed of persons who are not members of the U.S. government. According to media reports, this reform is based on a blog post by law professors Christakis/Propp/Swire.
  • New measures are to be established for U.S. intelligence services to reduce surveillance to a proportionate level and to enforce rule of law standards. Which measures these will be remains open.
  • The U.S. will not implement these changes by statute, but only via a new executive order from the U.S. President.
  • The Trans-Atlantic Data Privacy Framework is to build on the existing Privacy Shield. The requirements for U.S. companies will probably remain the same and previous certifications will continue to apply. Even the name "Privacy Shield" will probably continue to be used for the certification. The U.S. government had continued the Privacy Shield certification unchanged even after the Schrems II ruling.

Final adequacy decision in six months at the earliest

Firstly, over the next few months, the U.S. and the EU will finalise the text of the executive order and the adequacy decision. It is not likely that there will be any major problems here, given the intense political pressure. The two sides will not conclude a state treaty but will informally agree on the content of the executive order and the adequacy decision.

The U.S. government will then adopt the executive order and the EU Commission will publish a draft of the adequacy decision. For the previous Privacy Shield this took place approximately one month after the announcement of an agreement in principle.

Subsequently, the European Data Protection Board will issue an opinion on this adequacy decision (Art. 70 (2) (s) GDPR, recital 105 GDPR). This opinion is not binding on the Commission. Even with an expected rejection by the European Data Protection Board, the Commission is unlikely to be deterred from the Trans-Atlantic Data Privacy Framework.

In addition, the member states can give their opinion in the so-called "comitology procedure" (Art. 45 (3) GDPR). Theoretically, they could also issue a negative statement, but this is not expected.

Finally, the Commission will publish the adequacy decision in the Official Journal of the EU (Art. 45 (8) GDPR).

Overall, the procedure for the previous Privacy Shield took about half a year (agreement in principle on 2 February 2016; publication in the Official Journal on 1 August 2016). It is expected that the process for the Trans-Atlantic Data Privacy Framework will take a little longer, as its details have not yet been precisely defined.

Opposition to the Trans-Atlantic Data Privacy Framework is already strong; a Schrems III decision is on the horizon

It seems doubtful whether the Trans-Atlantic Data Privacy Framework will truly fulfil the requirements of the ECJ.

Establishing an independent, quasi-judicial body to examine complaints is indeed clever and could possibly meet the ECJ's requirements for a judicial remedy (on this Christakis/Propp/Swire). But it remains unclear whether the executive order, which is likely to be formulated in very general terms, will meet the requirements of the ECJ (Judgment of 16 July 2020 – C-311/18, para. 176 – Schrems II) on

clear and precise rules on the scope and application of the measure in question.

Moreover, it is not clear whether surveillance by U.S. intelligence services will actually be restricted to what extent is "absolutely necessary", as required by the ECJ.

Therefore, the fate of the Trans-Atlantic Data Privacy Framework will once again be decided by the ECJ. Civil rights organisations, such as noyb, led by Max Schrems, have already criticised the Trans-Atlantic Data Privacy Framework. It is unclear whether it will actually be possible to bring the new adequacy decision in front of the ECJ in a few months, as has been announced by noyb. Even with the previous Privacy Shield Framework, the first complaint was only filed one and a half months after the publication of the adequacy decision, and it was only overturned after almost four years, on the basis of another complaint. Safe Harbour was in force for 15 years.

Conclusion: Groundhog Day for data protection law

After Safe Harbour and Privacy Shield, the EU and the U.S. are now for the third time trying to find a compromise between the high standard of protection of European data protection law and the mass surveillance in the U.S. that continues to be desired on the political front. It is obvious that this attempt is doomed to failure legally. Politically, however, it is always opportune for the EU Commission to make the economically significant data transfers to the U.S. legally secure by means of an adequacy decision.

Until the final adequacy decision, controllers must continue to secure data transfers with other transfer mechanisms, in particular standard contractual clauses.

Even afterwards, controllers should continue to enter into standard contractual clauses with U.S. companies to mitigate the high risk of repeal. This way they can face "Schrems III" with fewer worries.