On 25 March the EU Commission (Commission) and United States (US) announced that they had agreed in principle on a new “Trans-Atlantic Data Privacy Framework” (TADPF) to foster trans-Atlantic data flows and address the concerns raised by Schrems II. We briefly discuss the implications below.
The announcement was very high level and short on detail. The detail it did provide (the US announcement was fuller than the Commission’s announcement Joint Statement on Trans-Atlantic Data Privacy Framework (europa.eu)) was:
- it will include binding safeguards to limit access to data by US intelligence agencies to what is necessary and proportionate to protect national security;
- US intelligence agencies will adopt further procedures to ensure oversight of privacy and civil liberty standards;
- a new redress system will be made available to EU data subjects, including an independent Data Protection Review Court;
- US importers will need to self-certify to the Privacy Shield principles through the US Department of Commerce (no detail is given as to whether these are the current principles or whether they will be updated) through the US Department of Commerce;
- all of the foregoing will be implemented by a presidential Executive Order (not via Congress); and
- the EU Commission will then analyse and opine on the above through an Adequacy Decision.
Key points to note are set out below.
- Timings for publication of the detailed documents are unclear. Following Schrems I, the sequence of events was as follows:
(a) Schrems I Court of Justice of the European Union ruling and invalidation of Safe Harbour: 6 October 2015;
(b) US/ EU high level announcement of EU/US Privacy Shield agreement in principle: 2 February 2016;
(c) publication of detailed EU/ US Privacy Shield documents: 29 February 2016; and (d) final agreement on EU/US Privacy Shield and Adequacy Decision: 12 July 2016.
If these Schrems I timings are indicative, we might expect detailed documents on the TADPF in a month, with further back and forth through the European Data Protection Board (EDPB) and Members State representative committee opinions for a further 4 months or so.
- Max Schrems and NOYB immediately announced their scepticism to the TADPF and, if it does not meet the Schrems II requirements, their intention to challenge the TADPF through civil litigation with an aim of getting a referral up to the CJEU as soon as possible. This would take some months to unfold, but could conceivably put exporters who rely on the TADPF back to the pre-TADPF position such that transfer impact assessments/Standard Contractual Clauses (SCCs) for the US become necessary again. This means there may be a pause before both US importers change from their existing compliance solutions, and EU exporters accept reliance on the TADPF. Once the detailed documents are published, the commentary (from the EDPB, NYOB and law firms) on the TADPF’s robustness to challenge will be key.
- It is not clear if what is agreed will only apply to US importers who self-certify and implement Privacy Shield principles or whether these protections will apply to all transfers to the US and therefore assist in producing more favourable transfer impact assessments under SCCs or Binding Corporate Rules.
- It not clear if this agreement in principle will see a pause on enforcement activity in respect of transfers to the US whilst the details are being agreed – any clarification or indication on this from the EDPB or data protection authorities will be keenly watched.
- If it works, TADPF will only solve transfers to the US. Transfers to other jurisdictions without adequacy findings and with expansive surveillance laws will remain subject to the current SCC and transfer impact assessment process, so the focus may then shift to those countries.
- Post Brexit, the UK has its own export adequacy regime. It will be interesting to see if the UK follows the EU position as Switzerland has done to date or whether it breaks ranks and accepts different assurances or assurances that have been found to fall short by an EU institution.