The EU and US have an agreement in principle on a framework to replace the EU-US Privacy Shield, which was invalidated by the Schrems II judgment as it was determined to violate the principles of the EU General Data Protection Regulation (GDPR).
The EU-US Privacy Shield is a legal framework regulating exchanges of data for commercial purposes between the European Union and the United States. Companies relied on this framework when transferring data to ensure compliance with EU data protection and privacy laws – the GDPR. Schrems (and others) found that the data surveillance laws in the United States made it impossible to comply with the GDPR requirements for data processors. Once personal data had been transferred to the United States, it could no longer be protected in accordance with the GDPR and could be provided to the authorities in the United States.
It has been two years since the Schrems II judgment by the European Court of Justice, during which time there have been extensive discussions on a replacement framework that satisfies the needs of both countries. The agreement in principle reached between the EU and US means the replacement framework is now closer to being developed, which will help all companies that engage in data transfers from the EU to the US to comply with EU laws.
The new Trans-Atlantic Data Privacy Framework will include, “new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives,” according to a joint statement issued by the United States and the European Commission. There will also be a “two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.”
While U.S. President Joe Biden and EU Commission President Ursula von der Leyen have both issued statements confirming they are pleased that progress has been made, not everyone is happy with the new data-sharing framework, the details of which have yet to be made public.
Max Schrems, Honorary Chairman of noyb and lead litigant in the “Schrems I” and “Schrems II” cases that went before the European Court of Justice explained in a recent blog post – titled Lipstick on a Pig – that all that has been made is a political announcement. As far as he is aware, there is no draft framework at this stage. While an agreement has been reached, the wording of the announcement suggests the US has not really changed its stance on surveillance, which was the main issue with the EU-US Privacy Shield. Schrems said he will analyze the new framework in depth when it is made public to determine if it is compliant with EU data protection laws.