On March 15, the United States and the European Commission (EU) entered into negotiations to create the Trans-Atlantic Data Privacy Framework (Framework). This effort is the third of its kind showcasing the legal complexity involved in creating a mechanism that fosters secure data flows between the United States and European Union, and provides redress for EU individuals who are targeted by U.S. government surveillance activities.
The Framework promises a vehicle through which companies can share data in ways they couldn’t before thereby expanding global business. If the Framework operates as promised and intended, a data flow-reliant market worth $7.1 trillion could be supported and encouraged.
Under the General Data Protection Regulation (GDPR), personal data is prohibited from being transferred from the European Economic Area (EEA) to countries outside the EEA. The European Commission has the authority to determine what countries have an adequate level of privacy protection. This analysis takes into consideration whether the country being evaluated has data controllers or processors that compensate for the lack of data protection by way of appropriate procedural safeguards.
Between the United States and the EU, there have been two previous data-sharing mechanisms designed to provide a relatively easy “self-certification” method for U.S. companies to satisfy the safeguard requirement, each of which has been invalidated by the Court of Justice of the European Union (CJEU).
In October 2015, the CJEU determined that the first mechanism, the Safe Harbor Privacy Principles (Safe Harbor), was invalid in Schrems v. Data Protection Commissioner, Case C362/14, Schrems v. Data Protection Commissioner, 2015 EU:C:2015:650 (Oct. 6, 2015) [hereinafter Schrems I]. In Schrems I, the CJEU found that the Safe Harbor failed to adequately protect the privacy of EU citizens because of the U.S. government’s ability to access personal data for national security purposes. In response to this determination, the United States and EU developed the new EU-U.S. Privacy Shield Principles (Privacy Shield) self-certification mechanism. The purpose of the Privacy Shield was to regulate the data collection practices of EU personal data by the U.S. government. As such, a regulator would be appointed to oversee the collection practices.
After the adoption of the Privacy Shield, however, the replacement framework from Schrems I received harsh criticism because it failed to resolve U.S. government surveillance issues.
Thereafter, on July 16, 2020, the CJEU invalidated the second Privacy Shield mechanism attempt in Irish Data Protection Commissioner v. Facebook and Maximillian Schrems, Case C-311/18, Data Protection Commissioner v. Facebook Ireland, 2020 EU:C:2020:559 (July 16, 2020) [hereinafter Schrems II]. In Schrems II, The CJEU found the Privacy Shield safeguarding mechanism insufficient because the surveillance programs of the U.S. intelligence authorities lacked legal protection for EEA/U.K. citizens.
Following the Schrems II decision, the transfer of personal data from the EEA/U.K. to the United States had to be based on an alternative valid data transfer mechanism. For an extra layer of protection, organizations relied on European Commission’s standard contractual clauses (SCCs) to validate their data transfers from the EU to the United States. Though accepted by EEA/U.K., the Schrems II decision significantly limited the frequent transfer of personal data to the United States by EU companies.
The new Framework highlights a shared commitment between the EU and the United States to create data protection, international privacy, and independently binding authority. It recognizes the importance of data flows between respective citizens, economies, and societies. There are more data flows between the United States and EU compared to anywhere else in the world. A $7.1 trillion U.S.-EU economic relationship is reliant on the flow of data. Data flow is thus critical to the Trans-Atlantic economic relationship and for all companies across every sector of the economy.
By ensuring a durable and reliable legal basis for data flows, the new Framework supports a comprehensive and competitive digital economy and fosters economic cooperation. Notably, it tackles the issues raised in the CJEU’s Schrems II decision concerning U.S. government surveillance.
The United States has made unprecedented assurances under the new Framework, including strengthening privacy and civil liberties standards that are used by U.S. intelligence agencies, establishing a new redress mechanism with independent and binding authority to resolve government surveillance issues, and enhancing its existing rigorous and layered oversight of intelligence activities.
As a result, U.S. intelligence activities will be highly regulated to ensure that access to personal data takes place only if it is necessary and proportionate to advance national security. This interference must not disproportionately impact the protection of the rights and freedoms of individuals. And U.S. intelligence agencies will have to adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
EU individuals will have various forms of redress through an independent Data Protection Review Court to resolve complaints including alternative dispute resolution and binding arbitration. This court will consist of individuals outside of the U.S. government with full authority to adjudicate claims and direct remedial measures as necessary.
Moreover, participating companies and organizations will still be required to adhere to the Privacy Shield Principles from Schrems I and II. These principles require companies to self-certify their adherence through the U.S. Department of Commerce.
Observably, this Framework provides vital benefits to both EU and U.S. citizens and participating companies. For EU citizens, the agreement includes new, high-standard commitments regarding the protection of personal data. For citizens and companies on both sides, the agreement enables the continued flow of data. For the world, this means more competition, which allows businesses of all sizes to develop, grow and thrive.
Relevantly, the European Data Protection Board recommends institutions like banks and insurance companies develop and supplement measures that will bring their data protection mechanisms up to EU equivalency. Performance of regular audits and disciplinary regulations are thus highly recommended to enforce compliance and optimize data minimization measures. In this way, institutions can control what amounts of data can be transferred without running the risk of transferring more data than necessary.
In more extreme cases, the Data Protection Authority has full authorization to require infringers to comply and, if necessary, impose administrative fines of up to 20 million euros or 4% of the company’s total revenue with criminal penalties attached.
Ultimately, the cooperation between U.S. government and the European Commission to turn this agreement into legal documentation will result in an Executive Order. This order will become the basis through which the commission can assess future adequacy decisions.
Biometric data protection is in its nascent stages. The EU GDPR is one of the only existing sources regulating biometric data protection beyond international borders. The EU GDPR released a framework with the EU to regulate biometric data sharing in 2016. The EU data privacy law defines biometric data as data pertaining to the physical, physiological, or behavioral characteristics of a natural person. (cited from GDPR.edu). This includes the date of birth, marital status, gender, name, or address of an individual. Currently, the EU GDPR regulation prohibits companies from sharing biographical data with third parties without an individual’s consent. With the explosive advent of international data sharing and the lack of biometric data policing on both sides, mechanisms like the Framework will be relied on to create secure data flow mechanisms. If the Framework provides the level of security participating instructions and companies need to transfer personal data, then flourishing markets that rely on secure pathways will succeed.
Reprinted with permission from the July 3, 2022 edition of the Legal Intelligencer© 2022 ALM Media Properties, LLC. All rights reserved.