On March 25th 2022, amidst wider discussions on US-EU cooperation, EU Commission President Ursula von der Leyen and US President Joe Biden announced an ‘agreement in principle’ on a new EU-US data sharing system termed the Trans-Atlantic Data Privacy Framework. This system (also termed by some observers as Privacy Shield 2.0) would act as a replacement for the previous Privacy Shield agreement that was struck-down as a consequence of the Schrems II ruling in mid-2020.
Previously, the Privacy Shield data transfer agreement had provided a framework for US organisations to receive personal data from the European Union without requiring Standard contractual clauses (SCCs).
The Schrems II ruling challenged and changed this.
Its proponents, lead by the Austrian Privacy advocate Max Schrems, claimed that the framework was insufficient to protect EU citizen personal data from US security agencies. The EU courts agreed, striking down the Privacy Shield and revoking its adequacy decision. Schrems II became a landmark ruling by the highest EU court that confirmed that the US was not an adequately secure data partner under the terms of the GDPR and resulted in the revocation of the Privacy shield data transfer agreement.
Since its revocation, EU-US data transfers have fallen under the remit of ‘restricted transfers’, legally requiring the inclusion of EU-approved SCCs in data transfer agreements. The Trans-Atlantic Data Privacy Framework hopes to change this.
“Predictable, trustworthy data flows”
So what can we expect from this framework?
It’s crucial to remember that this is only ‘an agreement in principle’ and that the exact details of the framework are yet to be released to the public. What we can assume is that this new agreement will seek to restore the data-transfer freedoms of its predecessor and enable the application of an ‘adequate’ data transfer mechanism.
Indeed there’s a lot riding on ‘Privacy Shield 2.0’ successfully implementation.
The US estimates that $7.1 trillion in economic activity will hinge upon a Privacy shield replacement surviving GDPR scrutiny and being implemented before tech companies are ordered to cease and desist data transfers from the EU to the US. As the various legal challenges to the Schrems II ruling peter out (In February Meta’s legal challenges were ended after EU regulators handed out their draft decision), several major tech firms have already threatened to limit or pull their services from Europe entirely. A new Privacy Shield agreement would dispel this threat and prevent these US-firms from having to change their data transferring actions.
Von der Leyen and Biden have stated that they hoped the agreement would restore “predictable, trustworthy data flows” between the US and EU. US tech firms hope that it will prevent them having to make wholesale changes to their data processing activities.
“Lipstick on a pig”
The announcement has been met with intense scepticism from privacy professionals, most notably from None of Your Business (NOYB) and their honorary chairman Max Schrems.
Following the statement, NOYB has reiterated that ‘there is only a political announcement, not a text that can be analysed’. They have also cautioned any hopes of improvement, noting that despite two years of discussions, solutions to the initial Privacy Shield’s problems have yet to be found. Moreover, NOYB claim that the US is not planning to significantly change its surveillance laws raising questions of how this would pass the CJEU’s ‘proportionality’ tests; Tests that both the Privacy Shield and its predecessor ‘Safe Harbour’ failed.
Their scepticism is further reflected in Max Schrem’s individual statement on the announcement. In it, he reiterates that the Trans-Atlantic Data Privacy Framework will face the same scrutiny and (if necessary) legal challenges as its predecessors. His dislike of the nature and timing of the announcement (“It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter”) is also palpable throughout the statement.
These privacy professionals have good reason to be sceptical.
Previous attempts to implement trans-Atlantic data sharing agreements failed to rectify identified issues and appeared to prioritise the working experience of US businesses at the expense of EU citizen’s rights. Fundamental issues regarding US agencies surveillance of EU citizens will need to be rectified and will require significant US policy changes.
No wonder NOYB have termed the announcement as ‘lipstick on a pig’.
What comes next?
As a political announcement with no actual text to review, the future of the Trans-Atlantic Data Privacy Framework is a difficult one to predict.
Changes to US surveillance policy have been promised and the White House has indicated that these may be established by means of executive orders. This would suggest that the US’ commitment to a speedy implementation is not just bluster and that significant weight is placed behind the push for its integration.
This is welcome news to US tech companies to be sure, but speed is no guarantee of efficacy.
The concerns of NOYB and Max Schrems are not unfounded and it is possible (even likely) that in their attempt to rectify the uncertainty surrounding EU-US data transfers, Privacy Shield 2.0 may mirror its predecessors and fall foul of the GDPR and CJEU. NOYB have stated that if the framework is not in line with EU law they will challenge it. Given their previous success, it would be unwise to bet against this challenge if it were to be filed.
While this issue will remain in limbo until the actual text of the agreement has been published, what this episode has allowed us to observe is the discrepancy and distrust between political leaders and privacy professionals. The underlying philosophies of both sides (US protection of business and political ambitions vs EU protection of individual privacy) appear somewhat antithetical without a practical solution to match the political ideals of the announcement.
Consequently EU-US data transfers will currently remain ‘restricted’ in nature and any businesses transferring EU citizen data to the US will require the application of approved SCCs. Lawmakers in the US and EU should be wary of creating another short-term fix that would enable and extend the uncertainty surrounding these transfers. For whilst these protracted and rehashed arguments continue, the protection of EU citizen data remains in flux.
To quote the mathematician John Allen Paulos: “uncertainty is the only certainty there is”.
