Trans-Atlantic Data Privacy Framework: A Solution to EU/US Cross Border Data Transfer Issues

It has been some time since we covered data flows between the EU and US. Here’s what is happening with the Trans-Atlantic Data Privacy Framework – and what’s still to come:

Background to the Trans-Atlantic Data Privacy Framework

Just in case you’ve forgotten …. In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US data transfer mechanism known as Privacy Shield. It determined that the Privacy Shield didn’t meet the EU’s privacy standards for appropriate protection of individuals from US surveillance, nor did it provide adequate legal means for Europeans to challenge it.  This decision is known as Schrems II.

Timeline to Implement the Trans-Atlantic Data Privacy Framework:

Since then the EU and the US have been working on new ways to support data transfers between the two jurisdictions.

In March 2022, the EU and US made an in-principle agreement to implement the Trans-Atlantic Data Privacy Framework. The key terms of the agreement include:

• The US will implement new rules to limit US intelligence access to personal data to what is necessary and proportionate to protect national security.
• The US will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
• Companies which process data transferred from the EU will need to meet stringent obligations.
• The introduction of specific monitoring and review mechanisms.
• The introduction of a two-tier redress system to investigate and resolve complaints made by Europeans about the access of their data.

On 7 October 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. In addition to establishing a Data Protection Review Court, the Executive Order requires US intelligence agencies to implement new safeguards.

The European Commission will now commence its adoption procedure for an adequacy decision. This involves it receiving an opinion from the European Data Protection Board (EDPB) and approval from a committee of representatives from the EU Member States.

It remains to be seen whether the European Member States or European Parliament will draw issue with the proposed framework. However, the European Commission has indicated it believes the proposed framework does address the issues raised in Schrems II.

Is Schrems III in The Future?

Privacy activist Max Schrems has indicated that he is likely to litigate the proposed Trans-Atlantic Data Privacy framework.

Discussing the topic on The Tech Brief podcast, Schrems highlighted that the US definition of ‘proportionality’ does not align with the European definition. He suggests that this, therefore, means that Europeans are not offered the same level of protection in the US as in the EU and the framework is not sufficient.

Schrems also highlights that the proposed authority for complaints to be submitted to in the US for GDPR violations is not a court. He suggests this is not sufficient to protect privacy rights.

You can listen to the full episode here and read our preliminary thoughts on the Privacy Shield 2.0 here. Max Schrems’ opinion that the new agreement may not meet EU standards has also been published via his advocacy group nyob here.

So, although there are positive signs with the development of a new Framework, it will still be some time until we know whether this new mechanism will meet EU requirements.

Are you unsure whether your organisation’s data transfers and data processing are compliant? Reach out. Our privacy team would love to work with you.