The United States and the European Union have been seeking a new data flow mechanism since 2020, when the European Court of Justice invalidated the EU-U.S. Privacy Shield agreement over concerns about U.S. government surveillance activities, creating disarray in transatlantic data transfers.
President Biden recently signed an executive order that brings a new data sharing pact between the two economies one step closer, but a finalized agreement is far from a done deal. A new framework is not likely to be finalized for several more months, and if and when it becomes available to U.S. businesses, legal challenges will almost certainly follow.
While a new era for EU-U.S. data transfers may be on the horizon, uncertainty is still the name of the game for the foreseeable future as the United States data privacy landscape continues to change rapidly.
Don’t miss our upcoming webinar on the 21st of September at 5pm (CEST) where we unlock the intricacies of data protection alongside Max Schrems, Chairperson of noyb and Privacy Lawyer, and Romain Gauthier, CEO of Didomi.
How we got here with the EU-U.S. data privacy framework
If data is the new oil in the global economy, then the invalidation of the EU-U.S. Privacy Shield Framework by the Court of Justice for the European Union (CJEU) left a gaping hole in the data pipeline connecting two of the world’s largest economies.
The U.S. Chamber of Commerce notes that digital data flows between the United States and the European Union underpin around $7 trillion in trade and investment, and that globally, data flows now contribute more to growth than the trade in goods. To facilitate transatlantic commerce in a way that complies with data protection requirements—including notably the EU’s General Data Protection Regulation (GDPR)—the U.S. Department of Commerce and the European Commission adopted Privacy Shield.
However, the CJEU struck down Privacy Shield in the July 2020 Schrems II decision, holding that it was invalid under the GDPR because it did not adequately protect the privacy rights of EU data subjects. The CJEU took issue with the access that U.S. surveillance agencies have to the personal data of European citizens. Specifically, the Court said that lawful U.S. data collection surveillance programs do not grant surveilled persons “actionable” rights of redress before “an independent and impartial court.”
As a result, thousands of U.S. businesses that relied on Privacy Shield as a clear means of sending personal data from the EU to the U.S. were left scrambling. IAPP points out that these data flows have since become legally questionable—if not effectively banned. The App Association says that many companies decided to suspend data transfers to avoid violating GDPR requirements and coming under legal scrutiny.
The EU-U.S. Data Privacy Framework is an attempt to restore lawful order to transatlantic data transfers. EU President Ursula von der Leyen and U.S. President Joe Biden announced in March 2022 that they had reached an agreement in principle on a successor to the failed Privacy Shield. On October 7, President Biden signed an Executive Order (EO) on Enhancing Safeguards for United States Signals Intelligence Activities.
What’s in the executive order
The EO provides enhanced data protections that address Privacy Shield shortcomings identified in the CJEU’s Schrems II decision. For EU residents whose personal information is transferred to the U.S., the EO puts in place:
New safeguards that limit the access US intelligence authorities have to Europeans’ personal data. Requirements in the EO only allow surveillance activities that are necessary and proportionate to protect national security.
This is a direct response to issues that the CJEU had with the scope of bulk personal data collection programs conducted under section 702 of the FISA Amendments Act of 2008 and EO 12333 (signed in 1981 by President Ronald Reagan).
A “multi-layer mechanism” that allows “individuals from qualifying states” (i.e., EU residents) to obtain “independent and binding review and redress” of complaints about the collection of their personal data by US national security authorities.
This addresses CJEU concerns about an “effective and enforceable” right of individual redress. The two-step redress system includes the appointment of a Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence to investigate complaints and a new Data Protection Review Court (DPRC) to “provide independent and binding review of the CLPO’s decisions.”
Data privacy lawyer Peter Swire of Alston & Bird told IAPP that, “Critics who say this is a re-run of Privacy Shield are incorrect. The new U.S. redress system creates independent investigations and decisions on complaints, and binding orders on the U.S. intelligence community.”
The European Commission published a Q&A on the EO that says it contains “significant improvements compared to the Privacy Shield,” while U.S. Secretary of Commerce Gina Raimondo said in a statement that commitments made in the EO “fully address” the Schrems II decision.
However, not everyone is so enthusiastic about the EO. Max Schrems of the EU-based NGO NOYB, who brought the legal challenge that resulted in the Schrems II ruling, indicated in a statement that a legal challenge to the EU-U.S. DPF is coming.
"The EU and the US now agree on the use of the word 'proportionate' but seem to disagree on the meaning of it,” said Schrems. “In the end, the CJEU's definition will prevail - likely killing any EU decision again. The European Commission is turning a blind eye on US law again and allowing the continued surveillance of Europeans."
The road ahead for the EU-U.S. DPF
With Biden signing the Data Privacy Framework EO, the approval process now moves to European authorities. Before the framework is finalized, the following steps must be taken by officials in Europe:
The EU Commission drafts an adequacy determination and sends it to the European Data Protection Board (EDPB).
The EDPB issues a nonbinding opinion.
EU member states representatives vote on the proposal.
The EU Commission adopts a final adequacy decision.
The entire adequacy process is expected to take approximately 4 to 5 months. The process took 5 months in the case of Privacy Shield. Final approval is therefore not expected until spring 2023.
But even if the framework is adopted, legal challenges by privacy activists like Schrems and NOYB are almost guaranteed. Law firm Morgan Lewis believes that the Executive Order could also be subject to U.S. court challenges “because it arguably gives EU residents greater privacy protections than US citizens.”
In addition, staff attorneys with the ACLU’s National Security Project argue in The Hill that a recent Supreme Court decision makes it harder for U.S. and EU negotiators to reach a lasting agreement for transatlantic data transfers.
Assuming that the updated data transfer protocol is eventually approved and challenged in court, Kirk Nahra, a privacy attorney at law firm WilmerHale, told The Drum that he expects the new program to, at best, “buy about five years of stability.” For reference, it was almost four years to the day from the time Privacy Shield was adopted (July 12, 2016) to the time the CJEU declared it invalid (July 16, 2020).
What companies should be doing in the meantime
Given the current uncertainties surrounding cross-border data transfers, five years of stability might sound like a worthwhile deal for U.S. businesses that utilize European consumer data.
When Privacy Shield was invalidated in 2020, it did not instantly terminate all transfers for U.S. data importers. The U.S. Department of Commerce, which administers Privacy Shield, said at the time it would continue to enforce the obligations of the approximately 5,300 companies that relied on the program to comply with EU data protection rules. However, as the EDPB unequivocally stated at the time, “Transfers on the basis of this legal framework are illegal.”
A bright spot from the Schrems II ruling is that the CJEU upheld the validity of Standard Contractual Clauses (SCCs). Under the GDPR, SCCs that ensure appropriate data protection safeguards may be used as a ground for data transfers from the EU to the destination country. The European Commission has issued SCCs designed to comply with GDPR rules on international data transfers.
SCCs are the method most often used by small and medium-sized businesses to transfer data from the EU to the U.S. since the end of Privacy Shield. But SCCs alone may not be enough. Additional safeguards may be needed to supplement the SCCs. Companies that transfer data must verify, on a case-by-case basis, whether the laws of the destination country (i.e., the United States), adequately protect the transferred data under SCCs, and determine if additional protections are necessary.
In June 2021, the EDPB issued final recommendations on supplementary measures for data transfers. The recommendations lay out a process companies can follow to transfer personal data outside the European Economic Area.
According to DLA Piper, there are numerous requirements for assessing transfer risks and the need for supplementary measures, and companies’ level of accountability is very high.
Investigations of data transfers and enforcement actions have followed in the wake of Schrems II. The outcome, says Caitlyn Fennessy of IAPP, has been, “head-spinning confusion, higher legal costs and a more limited selection of service providers for smaller firms.”
Didomi helps companies make sense of ever-changing privacy laws
By itself, the end of Privacy Shield and the struggle to navigate a path forward has presented a significant challenge to businesses that rely on data transfers from Europe to the U.S. But this is just one development in a shifting privacy environment that also includes state privacy laws taking effect in 2023, FTC rulemaking on Commercial Surveillance and Data Security, and the possibility of federal privacy legislation.
Looking ahead, the rollercoaster privacy ride shows no sign of relenting. It can be difficult for companies, especially smaller organizations that lack large compliance budgets and dedicated in-house experts, to make sense of all these simultaneous developments. At the same time, businesses can’t afford to abandon operations altogether due to the risks of noncompliance.
But there’s another way.
The data privacy experts at Didomi work with companies to help them understand the chaotic privacy world, implement tools that comply with data protection laws worldwide, and turn privacy into business opportunities.
To speak with the privacy professionals at Didomi, please reach out and let us know how we can help.