International: Trans-Atlantic Data Privacy Framework - what you need to know
Almost two years on from the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), and many transfer impact assessments ('TIAs') and supplementary measures later, the President of the European Commission, Ursula von der Leyen, announced in a statement alongside U.S. President, Joe Biden, on 25 March 2022, that the EU and the US had found an 'agreement in principle' on a new Trans-Atlantic Data Privacy Framework ('TADPF'). Shortly after, further statements arrived, with the transatlantic counterparties confirming an 'intensification of negotiations' over a framework that seeks to restore the seamless flow of personal data between the EU and US and purports to comply with the judgment in the Schrems II Case, accompanied by two fact sheets from the White House1 and the Commission2 respectively. In the days that have followed, several EU data protection authorities have since reacted, including the Norwegian data protection authority ('the Norwegian Datatilsynet'), the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information ('LDI NRW'), and the Danish data protection authority ('the Danish Datatilsynet'). OneTrust DataGuidance breaks down what we know so far about the TADPF and gathers reactions from industry experts, with an eye on what comes next, and what companies should consider in the meantime.
What is at stake?
The 20-month period since the Schrems II Case has left its mark on the international data transfer landscape, not least for EU-US data flows. With the EU-US Privacy Shield struck down and the availability of Standard Contractual Clauses ('SCCs') for third-country data transfers subjected to additional conditions in the form of TIAs and supplementary measures, organisations have been faced with new and complex challenges to lawfully maintain data flows. Transfers which form part of global economy, as recognised in the White House fact sheet, which summarises, '[d]ata flows are critical to the trans-Atlantic economic relationship and for all companies large and small across all sectors of the economy. In fact, more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion U.S.-EU economic relationship'.
Despite several significant developments in 2021 providing organisations with an enhanced toolbox for international data transfers, with new guidance on supplementary measures from the European Data Protection Board ('EDPB') and a refreshed transfer mechanism in the form of the Commission's new SCCs, updated in light of the Schrems II Case, 2022 has seen the consequences of the Schrems II judgment, with an uptick in enforcement activity from European supervisory authorities, particularly in respect of EU-US transfers.
Against this backdrop, the (in principle) agreed TADPF is said to address the requirements set out by the CJEU in the Schrems II judgment, thereby aiming to restore certainty and providing 'a durable and reliable legal basis for data flows', which will 'underpin an inclusive and competitive digital economy and lay the foundation for further economic cooperation'.
Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, modulates some of the excitement, highlighting, "[a]s the Danish and Norwegian Datatilsynets pointed out in their press releases, this is, for now, just an agreement 'in principle' and we need to wait for the details – both to see what companies need to do and to assess whether or not the new arrangement has addressed the concerned previously voice both in the European Commission reviews of Privacy Shield and, of course, by the CJEU in the Schrems II decision".
What do we know?
The joint statement speaks of an 'an unprecedented commitment on the US side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities', with the White House assuring of 'new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives'.
Specifically, the White House fact sheet sets out three key commitments:
- To strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities. More specifically, the White House fact sheet outlines that it is envisaged that under the TADPF, signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties.
- To establish a new redress mechanism with independent and binding authority. More specifically, the White House fact sheet outlines that it is envisaged that under the TADPF, EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed.
- To enhance its existing rigorous and layered oversight of signals intelligence activities. More specifically, the White House fact sheet outlines that it is envisaged that under the TADPF, U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
Commenting on the above, Dr. Carlo Piltz, Partner at Piltz Legal, reflected, "[i]n principle, the TADPF appears to be suitable for improving the legal conditions for the transfer of personal data to the US".
Piltz further highlighted some of the ways that the TADPF can be seen to address the shortcomings of the EU-US Privacy Shield identified by the CJEU in the Schrems II judgment: "[a]ccording to the content of the White House fact sheet, data subjects will, for example, be given the opportunity to take legal action against measures taken by U.S. surveillance authorities. Further, privacy and fundamental freedoms of EU citizens will be given greater consideration before and during the implementation of such measures".
Kagan drew attention to the Data Protection Review Court mentioned above, noting, "[i]t remains to be seen how this court will operate and indeed, whether it will meet with the EU requirement for independence".
Practicalities – certification and dispute resolution
The White House fact sheet confirms that participating companies and organisations will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.
In addition, it is outlined that EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organisations, including through alternative dispute resolution and binding arbitration.
As a final note, both fact sheets conclude by confirming the EU and US commitment to working towards translating the agreements in principle into legal documents. Specifically, it is outlined that the summarised US commitments will be included in an Executive Order that will form the basis of the Commission's assessment in its future adequacy decision.
However, Kagan clarified the additional procedural steps required which are not specified in the fact sheets: "[the Executive Order] will then need to be followed by the EU adequacy process, involving both the Commission and comments from the EDPB. The EU supervisory authorities are already waiting for this, as noted in the Datatilsynet's notice and in that from the LDI NRW".
Clarifying the potential impact of the completion of the above process, Piltz, noted, "[i]deally, the TADPF will mean that data transfers to the US will no longer require special measures to protect personal data from access by U.S. authorities and that the conclusion of SCCs will not be necessary".
Kagan shed further light on the above, highlighting, "[o]ther obstacles are whether an Executive Order by the President, which is the mechanism to bring this about, would be deemed strong enough as it can be repealed by the next administration".
This final point did not escape the attention of the lead litigant of the Schrems II case, Max Schrems, who, in a statement released by None of your business ('NOYB') cast doubt over the effectiveness of executive assurances (as opposed to reform of US surveillance laws) to meet the requirements laid down by the CJEU in the Schrems II judgment, before forewarning, "[i]f [the final text] is not in line with EU law, we or another group will likely challenge it. In the end, the CJEU will decide a third time. We expect this to be back at the CJEU within months from a final decision".
Piltz, however, posited, "[i]n the worst-case scenario, the Commission decision on the TADPF will also be overturned by the CJEU within a few years".
What can companies do in the meantime?
Finally, Kagan considers what companies should be doing in the meantime pending further updates: "[it is a] good idea to keep doing your TIAs and those may indeed be part of the Privacy Shield process and in any way, TIAs plus SCCs are the option which is available in the meantime, until the new arrangement is finalised. It's also not a bad idea to look at the requirements of Privacy Shield, on which the TADPF will be based. This includes principles like Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement Liability etc. and see what your governance framework may be missing. And of course, keep on with the #cryandpray as this agreement, in principle, shows that this might be working".
Alexis Galanis Lead Privacy Analyst
With comments provided by:
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
Dr. Carlo Piltz Partner
Piltz Legal, Berlin
1. See: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/
2. See: https://ec.europa.eu/commission/presscorner/detail/en/FS_22_2100