Upcoming framework for Trans-Atlantic data transfers

| Insight

The July 2020 Schrems II judgement of the Court of Justice of the European Union made it challenging for many companies to ensure the required legal basis for transfers of personal data from the EEA to the US. The EU Commission and the US Government have now announced a political breakthrough in the negotiations of a new framework for transfers of personal data to the US.

During the US President’s visit to Brussels, President Biden and President of the European Commission, Ursula von der Leyen, stated on Friday 25 March that the parties have agreed on the main principles of a new agreement on the protection of personal data transferred to the United States.

While a concrete agreement text has not yet been published, the US White House has published a Fact Sheet explaining the key principles to be expected in the final framework. To our understanding, there are still details that must be put in place before the final agreement is completed.

One of the main challenges has been to provide EEA citizens with actionable and effective rights, without this requiring more comprehensive and time-consuming legal reforms in the United States. The European Commission must also adopt a formal adequacy decision under Article 45 of the GDPR before EEA companies can base their transfers to the United States on the new agreement.

See also

Brussels, March 25 (Reuters):

EU, U.S. reach provisional deal on data flows but final pact months away

The EU and the US have previously entered into agreements on transfer mechanisms protecting personal data transferred to the US. Considering US surveillance legislation and government practice, these transfer mechanisms have since been rejected by the European Court of Justice. This applies to Safe Harbor which was invalidated in the Schrems I judgment in 2015 and Privacy Shield which was invalidated in the Schrems II judgment in 2020.

Privacy activist Max Schrems, who is behind the complaints raised about previous transfer agreements between the EU and the US, has, not surprisingly, expressed some   skepticism towards the news of new agreements. On the webpage of noyb – European Center for Digital Rights he states:

«We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.

The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.»

It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.»

Although it may take a few months before all the formalities have been completed, and even if the new agreement should be appealed to the courts, our opinion is that EU/US official statements about a new upcoming agreement provide justified assumptions that compliance with the EU data privacy rules will be eased for many companies that use cloud services from US suppliers or otherwise interact with companies in the US.

As a result of the Schrems II judgment and the invalidation of the former Privacy Shield, EEA based companies have had to rely on other transfer mechanisms, such as the EU Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCRs), for the transfer of personal data to the US and other third countries. The EJC ruling and further guidance from the European Data Protection Board set out strict requirements involving complex assessments to be carried out before any personal data are transferred. Currently, thorough assessments must be conducted and documented in respect of efficient data protection, in the light of surveillance legislation and practice in third countries, incl. in the US. The national data protection authorities in Austria and France respectively have recently, in relation to complaints brought up by noyb, led by Max Schrems, concluded that Google Analytics’ transfer of personal data violates the Schrems II judgment and the requirements for data transfers under EU General Data Protection Regulation.

It remains to be seen whether the news about the upcoming establishment of a framework between EU and US will affect the supervisory authorities’ current follow-up on EU businesses’ transfers to the US, for example, by use of Google Analytics. It will also be very interesting to see how a new agreement solves issues related to US companies’ use of subcontractors outside the EEA, so-called «onward transfers». An agreement with the US in principle only provides a legal basis for transfers to the US, however, many US cloud providers use a number of subcontractors outside the US in order to offer global and secure services 24/7. A transfer agreement between EU and the US will in any case imply that EEA based companies can focus more on assessing the legitimacy of transfers to third countries other than the US. For transfers to the US, one must ensure that the recipient of the transferred personal data complies with the requirements set out in the new framework.