Last month, the United States and the European Union agreed in principle to develop a trans-Atlantic data privacy framework. This effort became necessary after the Schrems II ruling by the Court of Justice of the European Union (CJEU) dismantled the Privacy Shield framework, leaving organizations scrambling for alternatives. The agreement for this new Trans-Atlantic data privacy framework developed in conjunction with the United States and the European Union’s commitment to working closer.
The CJEU was concerned over the type and degree of national security surveillance activities by the United States that provided access to personal data that was transferred from the EU. In Schrems II, the court held that the potential for government access to EU personal data violated privacy rights protected under EU law. The EU’s General Data Protection Regulation (GDPR) provides strong protection for privacy that the court felt conflicted with the US Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, arguing that these US laws allowed privacy intrusions without enough oversight and opportunity for individual redress. The Schrems II decision was followed by a series of complaints by data subjects solidifying concerns about permitting data to be transferred to the United States.
Renewed Commitment To Working Together
The major stumbling block for solidifying this new trans-atlantic data privacy framework might be subject to “Schrems III” because the United States laws that the court found objectionable are unlikely to change dramatically any time soon. President Biden addressed this concern with a commitment to formalizing the commitments of the United States in an Executive Order (EO) which will bind the United States to increased privacy protections. This EO, combined with a Department of Justice (DOJ) regulation, will provide a mechanism of redress that will substantially modify United States law in response to EU privacy laws. Additional protections discussed include an independent non-governmental Data Protection Review Court and a US promise to implement new safeguards to ensure that national security objectives are narrow and proportionate. The language of these commitments shows that the United States is moving closer to the EU’s position that privacy is a fundamental right.
Is the Issue Resolved?
It’s not surprising that the reaction from the business community was overwhelmingly positive as the deal will allow the continued flow of data that underpins over $1 trillion in commerce. Critics of the “Framework” are concerned that it relies on Executive Orders and regulations without a solid statutory framework and would have been more comfortable with a codified “no spy” commitment. As a practical matter, the Congress in the United States passing legislation during a midterm election year is so unlikely that the “Framework” is considered the only viable solution by most stakeholders.