What has happened?
The European Union has today announced ‘agreement in principle’ with the United States on a new data transfer framework, intended to replace the Privacy Shield framework that was struck down in the 2020 Schrems II decision of the Court of Justice of the European Union.
The agreement was announced in a joint press conference between European Commission President von der Leyen and U.S. President Biden and comes at a time when the two sides are keen to demonstrate a close political alliance in light of broader world events.
What does the agreement say?
At this moment in time, we have very little information about the substance of the agreement, and no draft legal text has been released (or, to our knowledge, prepared). Rather, the announcement is an indication that the parties have found common ground on the outline of a deal. The legal detail is still to be ironed out.
Whilst the EU Commission has the absolute power to adopt an adequacy decision for a new US data transfer framework, under the comitology procedure the Commission will have to consult on the draft decision first and will also take into account the views of the European Data Protection Board. Ultimately, the EU Commission is likely to be most concerned about the potential for legal challenge of the deal – a Schrems III scenario – and is unlikely to want to adopt anything that it feels stands a material chance of being overturned by the CJEU.
What are the difficulties with a new data transfer framework?
The main challenge will be for the EU and the U.S. is to demonstrate that the agreement provides for ‘effective legal remedies’ that can be exercised by EU data subjects in circumstances where their personal data is accessed by U.S. intelligence agencies. The interpretation of the CJEU is that these effective legal remedies must equate to judicial remedies. The administrative solution of an ‘Ombudsperson’ under Privacy Shield was found to be inadequate in this respect.
However, the difficulties for an EU data subject to obtain judicial redress against the U.S. Government in relation to surveillance activities are acknowledged to be considerable, and the parties will need to work hard to find a convincing solution to this challenge.
What do I need to do now?
For the time being then, nothing fundamental has changed. The legal position for transfers of personal data from the EU remains the same as it has been since July 2020 – Privacy Shield is no longer a mechanism for transferring personal data to the United States, and transfers made under ‘appropriate safeguards’ (such as the standard contractual clauses’) must be accompanied by an assessment of extent to which the transfer provides for an adequate level of protection (a so-called ‘data transfer impact assessment’).
For businesses operating in the UK, it is worth remembering that the UK Government has included the United States of America on its ‘priority list’ for future ‘UK data partnerships’ now that the UK Government has independent powers to issue its own adequacy decisions under the UK GDPR. It will be interesting to observe how any such UK decision plays out, in particular now that the UK is no longer subject to the jurisdiction of the CJEU.
In summary, organisations will need to continue to watch this space. One thing, however, is clear – namely that developments in the ever-changing world of international data transfers show no sign of slowing down.
If you have any questions about the content of this post, please contact your usual DLA Piper lawyer.