By Matt Rotert

On March 25, 2022, just shy of two years after the landmark Schrems II ruling invalidating the EU-U.S. Data Privacy Shield, the United States and the European Commission announced a preliminary agreement on a new data transfer framework, the “Trans-Atlantic Data Privacy Framework.”  While few details have been released, and officials have noted it may take months to reach a final deal, some important information was announced by the White House that might suggest that the U.S. is willing to address the issues raised by Schrems II.  Specifically:

• The United States will create “new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives (echoing the language used in Art. 23 of the GDPR);” [1]
• The United States will also “establish a two-level independent redress mechanism with binding authority to direct remedial measures;” [2] and
• The United States will “enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.” [3]

While the announcement, and the promise of a final agreement, are hopeful signs for the normalization of cross-border data transfers between the EU and United States, the response from critics of the EU-U.S. Privacy Shield was both immediate and ominous.  For example, Max Schrems issued the following statement regarding the announcement:

“We already had a purely political deal in 2015 that had no legal basis.  From what you hear, we could play the same game a third time now.  The deal was apparently a symbol that von der leyen wanted, but does not have support among experts in Brussels, as the U.S. did not move.  It is especially appalling that the U.S. has allegedly used the war on Ukraine to push the EU on this economic matter.”

The final text will need more time.  Once this arrives we will analyze it in depth, together with our U.S. legal experts.  If it is not in line with EU law, we, or another group, will likely challenge it.  In the end, the Court of Justice will decide a third time.  We expect this to be back at the Court within months from a final decision.” [4]

Despite the rhetoric, until the final text of the Trans-Atlantic Data Privacy Framework is released, there is very little to gauge the probability that these promised challenges will succeed.  While we all wait, there are three things to bear in mind:

1.  This announcement does not mean there is a final deal in place.  As a result, any transfer of personal data from the EU to the U.S. must meet the standards outlined in the Schrems II decision.
2.  Unlike when the EU-U.S. Privacy Shield was announced, there is no existing enforcement moratorium regarding the transfer of personal data to the U.S., and no such moratorium has been announced.  Therefore, any transfer of personal data from the EU to the U.S. can still be subject to a complaint and enforcement action by an EU data protection authority, such as the recent decisions by DSB and CNIL regarding Google Analytics.
3.  Assuming the Trans-Atlantic Data Privacy Framework is finalized and leads to an adequacy decision by the EU Commission regarding transfers of personal data to the U.S., it will almost certainly be challenged.

In short, the landscape for cross-border transfers of personal data to the U.S. is still fraught.  The issues raised by Schrems II regarding the access potentially granted to U.S. intelligence operations will not be easy to fix.  And the EU’s skepticism of U.S. data protection priorities is unlikely to dissipate based on a U.S. Executive Order promising greater accountability—even if that executive order echoes the same standards regarding national security as the GDPR. 

More to come in this space.

For additional information on this topic, please contact Matt Rotert at mrotert@redgravellp.com.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.

Download PDF