US and EU Announce a New Trans-Atlantic Data Privacy Framework
On Friday, March 25, the White House announced that it and the European Commission have “committed” to a new framework to facilitate data transfers from the EU to the US. The news is welcome, if frustratingly bare of detail, to the thousands of businesses that had relied on Privacy Shield to legitimize such transfers prior to the European Union’s Court of Justice (CJEU) decision in July 2020 invalidating it.
The EU’s GDPR imposes significant limitations on the ability to transfer the personal data of data subjects within the EU to jurisdictions not deemed to provide adequate levels of privacy protection. The US is one such jurisdiction. Although other transfer mechanisms do exist—such as the implementation of binding corporate rules or the execution of contracts containing standard contractual clauses (SCCs) approved by the European Commission—these mechanisms can be quite cumbersome to implement, and neither fully addresses the concerns expressed by the CJEU in invalidating Privacy Shield. Privacy Shield—overseen by the US Department of Commerce—was a popular alternative for many US businesses who needed to be able to receive personal data from the EU, such as human resources data for their EU employees.
Privacy Shield met its end in a case brought by Maximillian Schrems, an Austrian privacy advocate. The CJEU held that Privacy Shield failed to provide EU data subjects a meaningful judicial remedy in the event the US entity violated—or was alleged to have violated—their privacy rights, and that the US’s Foreign Intelligence Surveillance Act (FISA) permitted the collection of personal data beyond that which the CJEU believes is necessary and proportionate.
The White House’s March 25 announcement states that the US “has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.” Unfortunately, little more detail is revealed, and precisely what these new mechanisms will be has not been made clear (if, indeed, they have actually even yet been developed).
Oddly, despite the lack of detail, media reports suggest that Mr. Schrems is already suggesting that he or another party will challenge any new deal in court as well. It’s worth remembering that the Snowden revelations caused a significant amount of distrust within Europe of US intelligence activities, and that seems little changed. As a consequence, whether any political solution reached between the Biden Administration and the European Commission will stand the test of time remains to be seen.
Still, this offers at least a glimmer of hope to businesses on both sides of the Atlantic struggling to address the need to use data for day-to-day operations. Perhaps that glimmer will yet grow to be a ray of sunshine.