Policy brief on the state of play of the EU-US Data Flows
October 6th, 2023
Following the taking down of the Privacy Shield Agreement in 2016, data flows between the EU and US have been in peril due to the lack of an adequacy agreement, creating huge uncertainty on how companies and other organisations can send data across the Atlantic. On 25 March 2022, European Commission President von der Leyen and US President Joe Biden agreed on the pressing need to find a settlement. As Biden signed an executive order on 7 October, a compromise between the EU and US is expected to be reached within 6-12 months, finally giving legal certainty to companies. This policy brief will recap the background of the EU-US data transfers’ discussion, an overview of the changes, and possible next steps awaited.
Background: various reincarnations of EU-US data flows agreements
Under European Union law, the free flow of personal data from the EU to third countries with an adequate data protection level is possible in so far as the third country guarantees a level of protection of fundamental rights and freedoms that is “essentially equivalent” to the guarantees ensured by law in the EU.
In light of this, in July 2000, the European Commission decided that US companies were allowed to transfer data from the EU to the US in conformity with the principles and EU requirements set in the Safe Harbour legal adequacy decision. On 6 October 2015, however, the Court of Justice of the European Union (CJEU) issued a judgment known as Schrems I declaring the Safe Harbour decision invalid, as it would not entail sufficient protections.
Following the judgement, a new agreement was presented, the Privacy Shield Framework, repealed yet again by the Schrems II case in 2020, where the CJEU declared the Framework invalid due to the lack of adequate protection of personal data, specifically against possible interference by US authorities and lack of effective judicial protection. Since then, the Privacy Shield has not been a valid mean to comply with EU data protection requirements, although the decision did not relieve participants in the EU-US Privacy Shield of their obligations under the Framework.
Negotiations to repair the EU-US data pact began in 2020. On 25 March 2022, European Commission President Ursula von der Leyen and US President Joe Biden agreed to an updated “Privacy Shield 2.0 Agreement” data transfer agreement, allowing data to be sent across the Atlantic.
On 7 October 2022, US President Biden signed an executive order that would limit the ability of American national security agencies to access people’s personal information as part of the transatlantic data-sharing agreement with the EU. Now that the Privacy Shield executive order has been published, the European Commission can commence its ratification process, where it is expected for local politicians to weigh in, as well as EU privacy watchdogs, although both will be nonbinding opinions. Whatever happens, there is a risk for the final agreement to be challenged in court, meaning the deal could be null and void within another two years.
Revised Privacy Shield: what’s new?
The objective of the revised Privacy Shield agreement is to restore the legal basis for the free flow of data between the EU and the US by addressing the concerns raised in Schrems II, specifically, the lack of necessity and proportionality limitations on US surveillance programs; and the insufficient redress rights to challenge unlawful government surveillance.
Thus, in the executive order signed by Biden, new legal protections for European and American citizens regarding how US national security agencies can access and use their data have been defined. These include, for example, that a new language outlining what is “necessary and proportionate” will limit access to data by the agencies in their surveillance activities, representing a major change in how people’s data could be utilised for national security reasons. It also establishes an independent remedy mechanism, which includes a new Data Protection Review Court (DPRC) to investigate and resolve complaints regarding data access by US national security authorities – as well as enhancements to the commercial data protection principles to which US organisations self-certify under the Privacy Shield.
Next steps: EU and US seek to quickly jump the hurdles
Following the signature of the executive order, there remains some uncertainty about whether the order will ultimately meet the GDPR’s adequacy standard.
It is expected for the European Commission to prepare a draft adequacy decision within six months under Article 45 of the GDPR, followed by a formal adoption procedure. As part of this process, the Commission will draft a proposal for review by the European Data Protection Board (EDPB), which must then issue a legal opinion. After that, a committee comprising representatives from each EU Member State will evaluate the proposal and vote to approve the draft adequacy decision. Finally, if the committee’s advice is positive, the Commission will formally issue an adequacy decision for the new framework.
If the EDPB’s opinion provides a negative viewpoint, or if privacy campaigners oppose the Framework or the Executive Order, it may be subject to further revision and discussions between the EU and US.
Thus, it is unclear exactly how long this process will take. If the procedure was to run smoothly, it might be expected to take a minimum of six months until March 2023. If challenges were to be raised, it could take up to a year or more.
Grayling’s analysis: more legal challenges to come
As work on the revised Privacy Shield is ongoing, the main concern is to reach a satisfactory conclusion that would not be rejected again by the Courts. However, Maximilian Schrems, who initiated the two cases that took down the previous two transatlantic agreements, announced that he might attempt to raise a potential Schrems III case to the CJEU, which could stop the Privacy Shield 2.0 Agreement. In particular, he noted that the proposed DPRC would not be valid as it would not be considered as a court according to EU law. As previously found in Schrems II, the US did not provide effective judicial protection against interferences authorised by national legislation because the Privacy Shield Ombudsperson, established in light of the Privacy Shield Agreement, could not be regarded as a court according to EU law. As the DPRC only represents an upgrade from the Privacy Shield Ombudsperson, it would also not be considered as a court, according to Schrems.
A halt is unlikely to be welcomed by the Commission, which is pushing for a new legal tool for transatlantic data flows to ensure more legal certainty for companies. Nevertheless, according to Schrems, it is one of the fastest methods to force the EU and the US to abandon the current proposed agreement and reach one that presents legal certainty.
Thus, the Privacy Shield 2.0 Agreement may not be the long-term solution many have been seeking because it may not survive various administrative and legal challenges in the EU and the US. But companies can and should benefit from it by relying on it as a transfer mechanism until ruled inadequate or unlawful.