On 25 March 2022, the European Commission and the United States announced agreement in principle on a new Trans-Atlantic Data Privacy Framework. This will be welcome news to businesses on both sides of the Atlantic but has some way to go before it becomes a reality.
What?
The new Trans-Atlantic Data Privacy Framework is intended to facilitate transfers of personal data from the EU to the US. These have become increasingly problematic following the CJEU’s decision in Schrems II first in terms of the very significant effort needed to handle an assessment in each case regarding the impact of personal data transfer and the risk linked to potential surveillance (a so-called transfer impact assessment) which requires specialist US legal advice and also regarding the outcome of that process with EU data protection authorities and courts already prohibiting some transfers of personal data to the US.
While details of the new Framework are not yet available, the press releases accompanying the announcement suggest that the US will issue an Executive Order that will make three key changes to address the shortcoming identified by the Court of Justice in Schrems II:
- Ensure US intelligence collection is undertaken only where it is necessary for national security objectives, and does not disproportionately impact the protection of individual privacy and civil liberties.
- Give EU individuals a new multi-layer redress mechanism that includes an independent Data Protection Review Court.
- Ensure US intelligence agencies adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
Importantly, US companies wishing to participate in the new Framework will need to self-certify their adherence to the Privacy Shield Principles, enforced by the Department of Commerce. This utilisation of an existing and well-known privacy mechanism should speed adoption once the new Framework is in place (and, indeed, should mean it is immediately available to EU and US companies who have maintained their adherence to the Privacy Shield Principles).
When?
The new Trans-Atlantic Data Privacy Framework is still some months off. Before it comes into force the US and the EU will need to finalise the full text of this proposal (though given the announcement last week, one imagines this process should be relatively well advanced) and the EU Commission will need to issue a draft adequacy decision.
That draft decision will then need to be approved by the EU. This will involve both the European Data Protection Board providing a non-binding (but nevertheless important) opinion and the approval from the representatives of the EU Member States as part of the comitology procedure. The EU Commission will then need to formally approve the decision. The European Parliament may intervene at any time during the adoption process.
There is significant political backing for the Framework given the announcement by both U.S. President Joe Biden and European Commission President Ursula von der Leyen last week. However, the formal process is likely to take a number of months and given the independence of the members of the European Data Protection Board and unpredictability of the views of the EU institutions, the outcome is not completely assured.
Why?
The main reasons for this initiative are likely to be economic. The EU-US have an economic relationship worth $7.1 trillion, and transfers of data underpin more than $1 trillion in cross-border commerce. Parts of that relationship were increasingly under threat following the Schrems II decision which made transfers of personal data from the EU to the US significantly more difficult and uncertain.
The cost and expense of reviewing and analysing those transfers has created a significant barrier to data transfers to the US, particularly for small and medium-sized enterprises.
Given the world economy is still recovering from the Covid pandemic and is now having to deal with the consequences of significant economic sanctions against Russia, it is not surprising that both the EU and US want the economic boost this new Framework will provide.
More generally, the events in Ukraine may have provided an opportunity to re-assess the benefits of a strong transatlantic relationship, with the White House press release noting that the deal “reflects the strength of the enduring US-EU relationship, as we continue to deepen our partnership based on our shared democratic values”.
What next?
As set out above, the new Trans-Atlantic Data Privacy Framework will take a number of months to be formally approved by the EU. After that, take up should be swift given US recipients can rely on the existing process of self-certification against the Privacy Shield Principles.
The Framework will then need to brace itself against further legal challenges in the EU Court of Justice. Max Schrems’ noyb has already stated that it “expects to be able to get any new agreement that does not meet the requirements of EU law back to the CJEU within a matter of months”; though any final decision by the CJEU would take at least a year.
Finally, what about the UK? Post-Brexit, the UK is free to chart its own course so will not be bound by any adequacy decision by the EU. Having said that, one of the purposes of Brexit was to deregulate and liberalise the UK economy, and to strengthen ties to the US – it will therefore be an anathema for personal data transfers from the EU to the US to be easier than those from the UK. The UK will want its own transfer solution in short order, though in the absence of the US putting bespoke arrangements in place, the solution may well be a close copy of the model developed by the EU.
For further information, please contact:
Ieuan Jolly, Partner, Linklaters
ieuan.jolly@linklaters.com