On March 25, the European Commission and the US government announced that they agreed in principle on a new Trans-Atlantic Data Privacy Framework. Based on the new framework, the commission will issue a new “adequacy decision” based on the US offering an adequate level of data protection, and data will be able to flow freely and safely between the EU and participating US companies without further requirements.
The new framework addresses the concerns raised by the Court of Justice of the European Union, or CJEU, in a 2020 decision known as “Schrems II.”
In 2013, Austrian law student Max Schrems lodged a complaint with the Irish Data Protection Commissioner objecting to surveillance activities undertaken by US intelligence agencies in relation to data stored and processed by Facebook in the US. He argued that the law and practice in the US relating to this meant that there was inadequate protection for EU citizens whose personal data was transferred from the EU. The first case brought by Schrems in 2015 (“Schrems I”) led the CJEU to declare the invalidity of the US Safe Harbor scheme, the predecessor to the Privacy Shield.
In Schrems II, the CJEU declared that the EU-US Privacy Shield does not include satisfactory limitations in order to ensure the protection of EU personal data from the indiscriminate surveillance programs used by US public authorities. The court questioned the independence of the ombudsperson mechanism for managing complaints in the US and observed a lack of authority to make binding decisions on US intelligence services.
The CJEU therefore invalidated the EU-US Privacy Shield Adequacy Decision, which meant it could not be relied upon for EU-US data transfers with immediate effect in 2020. However, the US Department of Commerce continued to administer the Privacy Shield program following the decision, stating that it did not relieve participants in the EU-US Privacy Shield of their obligations under the EU-US Privacy Shield Framework.
According to the commission’s press release, “The new Framework marks an unprecedented commitment on the US side to implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities.” The US is to put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives, establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.
The teams of the US government and the European Commission will now finalize the details of this agreement in principle and translate it into legal texts that will form the basis of a draft adequacy decision to be proposed by the Commission.