On 10 July 2023, the President of the European Commission, Ursula von der Leyen, announced on Twitter the entry into force of the adequacy decision for the Trans-Atlantic Data Privacy Framework (TADPF for short), thus declaring data protection in the USA equivalent.
“Privacy Shield 2.0” is intended to ensure the legally secure transfer of personal data between the EU and the USA, as the European Court of Justice (ECJ) declared the previous agreement invalid in July 2020.
Although the EU Commission declared data protection in the USA to be equivalent and thus wanted to create a new legal basis for companies, the never-ending story is probably going into extension. This blog article explains why the new agreement is also on shaky ground and why the Austrian data protection activist Max Schrems is again in the starting blocks.
In the so-called “Schrems II” ruling, the ECJ referred significantly to the surveillance laws of the USA. On the one hand, the access possibilities of the US intelligence services contradict European data protection requirements. On the other hand, the laws only provide legal protection for US citizens in this case.
The Trans-Atlantic Data Privacy Framework should limit these surveillance possibilities. According to the agreement, a new redress procedure will be available to EU citizens in the future. An independent data protection tribunal comprised of individuals who are not members of any US government is a critical component of this procedure. This court will have complete authority to hear complaints and impose appropriate remedies.
At the same time, US intelligence agencies will be required to implement procedures that ensure effective oversight of the new privacy and civil liberties standards. The Executive Order issued by US President Biden in early October 2022 should also strengthen the legal position of EU citizens whose personal data is transferred to the US.
This includes a proportionality test for access to EU citizens’ data, a complaint procedure with the intelligence agencies’ Civil Liberties Protection Officer and the possibility to challenge decisions before the Data Protection Review Court. This court can make binding decisions and order the deletion of data in case of violations.
With the entry into force of the Trans-Atlantic Data Privacy Framework, there is currently legal certainty if companies in the US certify themselves under this data protection framework. With certification, US companies commit to comply with the data protection guidelines of the EU-U.S. Data Privacy Framework.
The International Trade Administration (ITA) will launch the Data Privacy Framework program website on 17 July 2023, where US companies can submit self-certification applications.
Among the newly agreed-upon privacy commitments is the deletion of personal data once it is no longer required for the original purpose for which it was collected. Furthermore, these commitments include other data protection principles such as minimization, which collects only necessary data.
Companies must also update their privacy policies accordingly by 10 October 2023. At the end of June 2023, the national intelligence agencies confirmed that they adapted their policies and procedures following Biden’s Executive Order 14086.
On the part of the EU and the US, officials agree that the new Data Privacy Framework is sound and meets all the European Court of Justice conditions. President Biden emphasizes that the decision for adequacy reflects a shared commitment to strong data protection and opens greater economic opportunities for countries and companies.
In February 2023, the European Data Protection Board (EDPB) issued a press release. The body welcomed the improvements, such as introducing requirements that comply with the principles of necessity and proportionality for intelligence data collection in the US and the new redress mechanism for EU data subjects.
At the same time, the Committee expressed concerns and requested clarifications on several points. These relate to certain rights of data subjects, onward transfers, the scope of the exemptions, the temporary bulk collection of data, and the practical functioning of the redress mechanism.
Max Schrems, the Austrian data protection activist and lawyer, also clearly criticizes these aspects. One point of criticism is the different understanding of proportionality between the US and the EU.
The ECJ has found that mass surveillance under the Foreign Intelligence Surveillance Act (FISA 702) does not comply with the principle of proportionality under Article 52 of the EU Charter of Fundamental Rights. Despite including the word “proportionate” in US Executive Order 14086, the term arguably has a different meaning in the United States.
Another problem concerns the remedy under the data protection framework. The ECJ has found that the previous remedy via the Privacy Shield “ombudsman” is incompatible with Article 47 of the EU Charter of Fundamental Rights. Although the mechanism has now been split into a Civil Liberties Protection Officer (CLPO) and a so-called “Court of Justice,” data subjects have no direct interaction with these bodies.
According to Schrems, while there is agreement in the US and EU that FISA 702 violates fundamental rights. Nevertheless, the United States refuses to reform the law and provide adequate privacy protections to non-U.S. citizens. The Executive Order is not a law set in stone. The next US President could rescind the Executive Order issued by Biden.
For the lawyer, Trans-Atlantic Data Privacy Framework is a copy of the rulebooks he has already brought down. He and the non-profit organization, none of your business (noyb), already have “various legal options in the drawer.”
Once the first companies use the new agreement, it can be challenged. As a result, the ECJ will have to revisit the data protection agreement in a few months. If the first lawsuits are filed, the new agreement may be put on hold for the duration of the litigation.
So far, companies have been able to use the following options to transfer personal data to the US in a legally secure manner. There are standard contractual clauses (SCC), which the European Commission adopted in the wake of the Schrems II ruling. If both contracting parties accept the standard contractual clauses, no further regulatory approval is required.
However, these have recently been challenged in European court cases. A prominent example is the decision of the Irish data protection authority, which ordered a fine of EUR 1.2 billion against the US group Meta and prohibited the transfer of data to the United States.
Within an internationally operating group of companies, binding internal data protection guidelines known as “Binding Corporate Rules” (BCR) can also be formulated. In contrast to standard contractual clauses, BCRs require approval by the authorities, which increases the effort and expense for companies accordingly.
Despite these two options, US intelligence agencies continue to have access to EU citizens’ data, and there is a risk that the TADPF will be revoked as well because data protection in the US is inadequate. Such a process could drag on for three to five years and become another “hang-up” for companies.
You don’t want to be in this grey zone? Service providers that process and store their data in the EU offer you more extensive legal certainty. Here, it is certain that US intelligence agencies will not have access to the data. When choosing your service providers, also pay attention to their subcontractors.
Feel free to contact us if you want GDPR-compliant IT security solutions.