US and EU Agree in Principle on New Privacy Framework
The United States government and the European Commission have trailered a new Trans-Atlantic Data Privacy Framework, addressing concerns which led to the demise of the last one in mid-2020, and allowing data to flow more freely again between the two. Critics are already clearing their diaries for 'Schrems III'.
The original Privacy Shield was agreed in February 2016 and itself replaced the Safe Harbour agreement invalidated the previous October by the Court of Justice of the European Union (CJEU), which ruled it had not ensured a sufficient level of data protection as required by EU law. Privacy Shield held for four years or so until being itself struck down by the CJEU in the Schrems II decision of July 2020.
The US government says today's agreement and the Framework envisaged represent 'an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities' - the ECJ's rejection of previous deals has been centred on the extent of the US government's surveillance of personal data. New safeguards will ensure that the latter is 'necessary and proportionate in the pursuit of defined national security objectives', and a two-level independent redress mechanism will be given 'binding authority to direct remedial measures'.
The Framework is the result of more than a year of detailed negotiations between the two, led by Secretary of Commerce Gina Raimondo and Commissioner for Justice Didier Reynders; and aims to promote 'an inclusive digital economy in which all people can participate and in which companies of all sizes from all of our countries can thrive'.
The agreement-in-principle now needs translating into legal documents to be adopted on both sides. The new U.S. commitments will be included in an Executive Order and will form the basis of a future 'adequacy decision' by the European Commission. Unlike the original Privacy Shield, this one (and the Commission's adequacy verdict) will not automatically apply to the UK, whose government can now make an independent decision on whether to adopt a similar document.
Already Austrian lawyer and privacy activist Max Schrems has suggested - on his NOYB (None of Your Business) web site - that the latest agreement is likely to prove little more than 'lipstick on a pig': 'What noyb hears is that the US is not planning to change its surveillance laws, but only foreseen executive reassurances (using EU language like 'proportionality'). It is unclear how this would remotely pass the test by the CJEU, as US surveillance was already held not to be 'proportionate' by the CJEU. Previous agreements failed twice in this respect.'
In a further statement, Schrems forecasts: 'The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.
'It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.'
In the meantime businesses transferring potentially sensitive personal data across the Atlantic must fall back on the 'standard contractual clauses' in GDPR legislation.
Web sites: www.whitehouse.gov , www.europa.eu and www.noyb.eu/en/privacy-shield-20-first-reaction-max-schrems .