4 April 2022
The Internet and digitization are currently inconceivable without services from American companies. Data transfers to these companies can therefore hardly be avoided. However, many of these data transfers involve personal data, so that European data protection law, in particular the General Data Protection Regulation (GDPR) must be observed. The GDPR stipulates various requirements for data transfers to areas outside the European Economic Area (EEA) - so-called "third countries" - to various requirements, which are set forth in Art. 44 et seq. GDPR. Therefore, data transfers to U.S. companies are only permitted if these requirements are complied with. An important practical basis for data transfers to third countries can be found in Art. 45 GDPR, the so-called adequacy decision. According to this requirement, data may be transferred to those third countries for which the EU Commission has decided that the third country in question offers an adequate level of data protection.
Such an adequacy decision existed for the U.S. with the so-called "Privacy Shield" agreement from 2016. However, it was precisely this adequacy decision that the European Court of Justice declared invalid in its "Schrems II" ruling of July 16, 2020. The European Court of Justice concluded that the Privacy Shield gave undue priority to the requirements of national security, public interest and compliance with U.S. law, which did not limit intrusions to a proportionate level - more than only the mandatory data could be collected. Furthermore, no appropriate legal remedies had been provided to the data subjects.
After the ruling, companies certified under the Privacy Shield were factually compelled to conclude standard contractual clauses pursuant to Art. 46 of the GDPR as an alternative. However, these offer only limited relief due to the very high requirements for data transfer to a third country determined by the Schrems II ruling. In particular, the performance of an elaborate "Transfer Impact Assessment" (TIA), considering the data protection level of the third country recipient, proves to be a complex challenge in practice. Because of the effort involved, there has always been a desire for a new edition of the Privacy Shield. For a long time, however, it was unclear whether this would happen, despite negotiations. Surprisingly, on March 25, 2022, the U.S. and the EU reached a political agreement on the so-called "Trans-Atlantic Data Privacy Framework" (TADPF), which is to form the basis for an adequacy decision by the European Commission. As anticipated in advance by legal scholars (see here and here), implementation on the part of the U.S. is to take place through an Executive Order (more on this instrument here) and not through a formal parliamentary law. Whether this is sufficient will require scrutiny. However, the political agreement must now be followed by the preparation of implementing legislation on the part of the U.S., which the EU Commission can base an adequacy decision on.
The European Commission and the U.S. government have announced an "agreement in principle" on a new Privacy Shield framework that would allow data to flow smoothly between the EU and the United States. Details were not disclosed, but the White House said in its press release that the U.S. has made "unprecedented commitments" to:
It goes on to say that the framework ensures that
These are essentially the same promises that, according to the recitals of the adequacy decision of July 16, 2016, the Privacy Shield should also have fulfilled (see here). As with the Privacy Shield, the system will operate based on self-certification, which will provide externally visible assurance that an organization is complying with the principles of the agreement. Consequently, data transfers under the TADPF will probably not be permitted to all U.S. recipients, but only to those that undertake to comply with data protection requirements comparable to the GDPR as part of a self-certification.
The announcement was greeted with relief by organizations and privacy experts. However, data privacy activists, including Max Schrems and NOYB, were more cautious (to illustrate drastically, "Lipstick on a Pig"). They "...expect the matter to end up back before the [European] Court of Justice within months of a final decision." This assumes that the final Privacy Shield text will use GDPR-friendly language (such as "redress" and "proportionality") but will not be backed up by changes to US surveillance laws.
It remains to be seen whether the EU and the U.S. can clear various legal hurdles:
According to the political agreement, EU data subjects will be able to turn to a Data Protection Review Court. Based on the information available so far, it is likely that this will not be a "real" court, as (federal) courts are created by federal law under Art. III(1) U.S. Constitution. However, this may not be decisive: the European Court of Justice stated in its Schrems I ruling that a third country does not have to introduce an exact copy of the EU judicial system in order to comply with European requirements. One reads something similar statements in the Advocate General's opinion in Schrems II, the WP29 opinion on the Privacy Shield, and the European Data Protection Board's (EPPB) Recommendation 2/2020. In this regard, it should be sufficient if the Data Protection Review Court is sufficiently independent and assertive to ensure effective data protection. One will thus have to measure the design of the remedy mechanism, once the agreement is in place, against the case law of the ECtHR and the European Court of Justice.
Of concern in this regard is a recent ruling by the U.S. Supreme Court (FBI v. Fagaza), in which the court strengthened the rights of surveillance authorities to access personal data of U.S. residents. The latter even enjoy the protection of the U.S. Constitution, but EU citizens do not - the question therefore arises whether, under U.S. law, EU citizens can be granted more rights than U.S. residents via an Executive Order. There is also the practical problem of how data subjects will learn of surveillance measures taken by the U.S. intelligence services so that they can submit them to the Data Protection Review Court if necessary. Since these are likely to be state secrets that the U.S. government does not have to disclose, this could result in unacceptable gaps in protection from the EU's perspective (see below for more on proportionality).
In any case, the Data Protection Review Court must be open to data subjects, even if they have not suffered any material disadvantages because of the data processing. This is not self-evident in the USA, even under the U.S. Constitution, as recent case law such as TransUnion LLC v. Ramirez shows.
Furthermore it must be ensured that decisions of the Data Protection Review Court are also observed by the US authorities. Whether an executive order is sufficient seems questionable here. Only legal ordinances can have such an effect (see here).
Finally, the protection of personal data must also be guaranteed in substance. According to the Schrems II ruling, this requires that interventions in the collection of signals ("signals intelligence activities") be proportionate and that no automatic priority be given to the requirements of national security, public interest and compliance with U.S. law. Initially, it appears that "signals intelligence activities" as understood by the U.S. intelligence community covers the collection of data as defined in Executive Order 12333 and under FISA - i.e., the collection of data without and with the assistance of service providers.
The final sticking point is the proportionality test required by the European Court of Justice. The U.S. federal government can designate certain facts as state secrets, and then these facts - such as the scope of data processing - are not even examined for proportionality. All facts whose disclosure would harm the U.S. may be classified as state secrets, which could lead to far-reaching gaps in protection (see here). In addition, it could be that the weights in the U.S. interpretation of the proportionality test are shifted toward state authorities. The assessment is complicated by the fact that U.S. case law - if it recognizes a proportionality test in the European sense at all - does not really use this terminology, which makes the assessment of proportionality even more difficult.
A final version of the TADPF is not expected until the next few months, so it is unlikely to come into force in the short term. We assume - also against the background of statements from the EU Commission - that an adequacy decision will not be available before the end of 2022. The course is such that the USA will first work out its process, if necessary, in consultation with the EU Commission. The procedure will then be sent to the EU Commission for review as a binding proposal or already as a valid U.S. legal act. The latter will seek an opinion from the EDPB. Presumably, other interested parties will also comment. Based on the U.S. process and taking the comments into account, the EU Commission will complete its review and announce its decision.
For companies, everything remains "as is" for the time being: Until the TADPF comes into force, data transfers to third countries will only be permitted based on suitable guarantees and thus, as a rule, only on the basis of standard contractual clauses. A Transfer Impact Assessment (TIA) will therefore continue to be indispensable for the USA for the time being.
When the adequacy decision is finally available, it would potentially mean a great relief for a large number of U.S. transfers, but presumably not for all: only those recipients who have committed themselves to compliance with European data protection principles in a self-certification procedure will likely be covered by the scope of protection of the TADPF. In the case of appropriately certified recipients, a full transfer impact assessment would then presumably no longer be necessary: instead, the assessment could probably be limited to checking whether the certification of the data recipient is up to date and actually covers the specific data transfer. Only if one of the questions is to be answered in the negative will a full TIA process likely still be necessary. For non-certified companies, on the other hand, the TADPF - as well as for recipients in other unsafe third countries - will probably not change much: both the conclusion of standard contractual clauses and the performance of a transfer impact assessment will probably remain necessary as a rule.
In any case, however, the TADPF is likely to lead once again to an even stronger focus on the problem of third-country transfers. At the latest when the TADPF enters into force - since then there are thus de facto remedies - we can expect increased enforcement of third-country transfer requirements by the authorities. Furthermore, it remains to be seen whether the TADPF will actually lead to lasting legal certainty for data transfers to the U.S., or merely grant a short break until a "Schrems III" ruling.