At the end of March, President von der Leyen and President Biden announced a new deal on data transfers between the EU and the U.S. The announcement comes less than two years after Privacy Shield, the successor of the Safe Harbor agreement, was struck down by the Court of Justice of the European Union for its insufficient safeguards in regard to data protection.
Data protection has long been a source of dispute between the two major trade powers, with the U.S. preferring a more laissez-faire approach in stark contrast to the EU’s high degree of protection enshrined in its General Data Protection Regulation (GDPR). This piece of legislation aims to put into concrete terms the right to protection of personal data in the EU Charter of Fundamental Rights (Article 8).
EU requirements for international data transfers
According to Article 45 of the GDPR, the European Commission may issue an adequacy decision when it deems a third country’s safeguards for protecting personal data sufficient. This adequacy decision is one of the grounds upon which the transfer of personal data to a third country is possible.
The criteria for such a decision are strict; as per Recital 104, the level of protection afforded by the third country should be essentially equivalent to that in the EU, with data subjects being given “effective and enforceable rights and effective administrative and judicial redress”. Similarly, when establishing the level of protection in a third country, the rule of law, respect for fundamental rights, any relevant legislation, the role of supervisory bodies, and any international agreements the third country is bound by must all be taken into account.
Privacy Shield, which is a former EU-U.S. agreement on data transfers, failed in this respect. It failed particularly in light of the processing of personal data for mass surveillance purposes by the U.S. authorities and the inadequate safeguards provided. The relevant adequacy decision was subsequently struck down by the Court of Justice of the European Union (CJEU) in its landmark Schrems II ruling.
Current state of play
Following the CJEU decision, parties involved in data transfers between the EU and the U.S. have had to resort to mechanisms for international transfers under Article 46 of the GDPR. However, negotiations on another international agreement between the two major trading blocs were revived soon after the Schrems II decision. Indeed, it has been claimed by some (whilst disputed by others) that the war in Ukraine has only increased the need for smooth EU-U.S. data flow.
On 25 March, it was announced that a revamped transatlantic agreement on data transfers was agreed upon in principle. The U.S. is to guarantee that “surveillance activities are necessary and proportionate [...], establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities [...].” A fact sheet with an outline of the deal has been published, but it is yet to be translated into precise legal terms.
Whilst this announcement has been welcomed by some, unless there is a major change in the U.S. laws, it is yet to be seen if the new agreement will survive the scrutiny of the CJEU.
European Commission (2022). European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework [press release]. Retrieved from: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087.
European Commission (2022). Trans-Atlantic Data Privacy Framework [fact sheet]. Retrieved from: https://ec.europa.eu/commission/presscorner/detail/en/FS_22_2100.
European Parliament and Council of the EU (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Retrieved from: https://eur-lex.europa.eu/eli/reg/2016/679/oj.
European Parliament, Council of the EU and European Commission (2012). Charter of Fundamental Rights of the European Union. Retrieved from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT.
European Commission. EU-US data transfers. Retrieved from: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en#:~:text=The%20adequacy%20decision%20on%20the,Union%20invalidated%20the%20adequacy%20decision.
Court of Justice of the European Union (2020). Judgment of the Court (Grand Chamber) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18). Retrieved from: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62018CJ0311.
DLA Piper (2022). Privacy Shield 2.0? EU and US announce potential new data transfer framework. Retrieved from: https://blogs.dlapiper.com/privacymatters/privacy-shield-2-0-eu-and-us-announce-potential-new-data-transfer-framework/.
GDPR Summary (2020). Privacy Shield. Retrieved from: https://www.gdprsummary.com/gdpr-definitions/privacy-shield/.
Scott, M and Manancourt V. (2022). US eyes breakthrough on data dispute with EU as Biden visits Brussels. Retrieved from: https://www.politico.eu/article/us-eyes-breakthrough-on-data-dispute-with-eu-biden-visit-privacy-shield-ukraine/.
Sharp Cookie Advisors (2020). Schrems II a summary – all you need to know. Retrieved from: https://www.gdprsummary.com/schrems-ii/.
Von Paczinsky und Tenczin, Kristina (2021). Privacy Shield 2.0? Retrieved from: https://www.datenschutz-notizen.de/https-www-datenschutz-notizen-de-p31598-5631598/.