The inevitable trequel? 'Schrems III', the Trans-Atlantic Data Privacy Framework, and a question of durability
In welcome news for EU and US businesses and organisations, a Privacy Shield 2.0 (Trans-Atlantic Data Privacy Framework) has been agreed in principle between the European Union and the United States - but have we been here before? And will the details of the deal prove capable of withstanding a challenge at the EU Court of Justice for a third time? Joanne Bone looks at what might happen next
Data as... gold, oil...now integral to democracy?
Convened under pressure of the Russian war against Ukraine and the humanitarian tragedy unfolding before the eyes of the world, the spotlight at the NATO press event shifted to the importance of keeping the data flowing from the EU to the US, highlighted as an issue integral to the safeguarding of democracy.
In their joint announcement US President Biden and EU Commissioner Ursula Von Der Leyen announced progress on Privacy Shield negotiations, declaring an agreement in principle as struck.
The agreement will permit EU personal data to be exported to the US without the need for entering into standard contractual clauses or navigating the tricky requirements of a transfer impact assessment/transfer risk assessment. Obviously the devil is in the detail – Controllers and Processors alike, especially those with memory of the previous two false starts, will be keen to see what it will look like.
A follow up White House statement shed some light on this and said that it anticipates that U.S. commitments will be included in an Executive Order which will provide that:
- Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
- EU individuals may seek redress from a new multi-layer redress mechanism, which will include an independent Data Protection Review Court to consist of individuals chosen from outside the U.S. Government, who would have full authority to adjudicate claims and direct remedial measures as needed; and
- U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
Increased impetus from Europe
The need for a new Privacy Shield had been mounting as a steady stream of recent decisions by national supervising data protection authorities made it difficult to get personal data to the US.
These decisions ruled that websites were in breach of EU GDPR through their use of third party cookies via use of apps such as Google Analytics, Stripe and even Google Fonts.
- 22 December 2021: The Austrian data protection authority delivered a preliminary ruling to the in the first of 101 nYob third party cookie complaints filed. They found Austrian website Netdoktor's use of Google Analytics in breach of the GDPR rules relating to data export as a result of identifiers being sent to the US. This was despite the use of Standard Contractual Clauses and Google's implementation of further contractual, organisational and technical measures.
- 31 December 2021: CNIL, the French data protection authority's fined Google and Facebook 150m and 60m euro respectively for cookie non-compliance on a similar basis.
- 5 January 2022: The European Data Protection Supervisor's reprimand of EU Parliament relating to the transfer of personal data to the US relating to MEPs and employees in respect of COVID testing via Google Analytics and Stripe cookies on the testing website.
- 21 January 2022: Munich State Court found that sending people’s IP addresses to the US as a result of the website requiring the user’s browser to fetch the font from Google Fonts was in breach of the export rules in GDPR.
Further pressure was added by Meta's annual report in February which warned that without an EU-US agreement for international data flows, products such as Facebook WhatsApp and Instagram would have to be withdrawn from Europe. The tech giant followed up with a call for the two powers to establish "clear, global rules to protect transatlantic data flows over the long term."
How durable will Privacy Shield 2.0 be?
The answer will probably depend in part on how the ongoing EU-US negotiations and resulting Executive Order navigate the unanimous Supreme Court decision in FBI v Fazaga handed down earlier this month. This case relates to when the US government can evoke 'state secret privilege' to avoid judicial review of alleged illegal surveillance.
Originally the case was seen as a positive and the Court of Appeal decision was referenced in the European Commission's third annual review of the Privacy Shield and welcomed as ensuring,
"independent judicial review of information obtained through electronic surveillance under [the 1978 Foreign Intelligence Surveillance Act] FISA, including in situations where it could otherwise be withheld by the government on national security grounds."
This is no longer the case as the Supreme Court reversed that decision and accepted the US government's stance, that the majority of the respondents’ claims fell under the ‘state secrets’ privilege, and agreed that s.1806(f) of FISA does not override state secrets privilege and that the US government did not have to submit to trial procedures under the Act in order for the claimants' case to progress.
The timing and reversal of the decision in Fazaga now looks set to be an unwelcome thorn in the side of the new Privacy Shield and could potentially necessitate action by Congress to address legislatively the precedent the case has set.
Privacy campaigners will be keeping a close eye on the Executive Order for any potential caveats allowing US national security agencies to avoid judicial scrutiny of whether electronic surveillance they conduct is lawful under FISA.
What is the UK doing?
According to the new UK Information Commissioner, John Edwards, the UK is not just going to adopt the EU/US approach and is conducting its own adequacy assessment for transfers to the US. We await further information as to what any UK deal might look like.
Conclusion
A Trans Atlantic Data Privacy Framework (or Privacy Shield 2.0, however it becomes known) will make life easier for businesses wanting to export personal data from the EU to the US – provided it sticks. If it doesn’t then, as has happened before, it will be a short term solution followed by the need to urgently change the approach once invalidated. For the Framework to be truly useful it needs to properly address the concerns of the CJEU articulated in Schrems II. Any fudge is likely to immediately be seized upon as the basis of a legal challenge – whether from Schrems and NYOB or other campaigners.
We also need consistency between the UK and EU approach so that businesses who operate in the EU and UK don’t need to juggle two sets of requirements as they do now. Currently they have to work out whether they will use the EU SCCs or the UK IDTA or UK SCCs addendum. They also have to ensure that any Transfer Risk Assessment meets the requirements of the European Data Protection Board Recommendations and the UK ICO draft guidance – and from experience businesses are often confused about what they need to do.
In summary, we would cautiously welcome Privacy Shield 2.0, depending on whether it offers a lasting solution.
Joanne Bone is a Partner specialising in GDPR, Data Protection and Commercial Contracts. For previous webinars on Data Protection topics from Joanne, catch up on YouTube.
To request invitations to future webinars and receive email newsletters register here.