After almost two year of negotiations, the EU and US finally announced to have agreed in principle on a new Trans-Atlantic Data Privacy Framework. Yet beyond the grand political declaration, this new framework’s legal resilience has yet to be tested.
I. The post-Schrems II situation
As a reminder, in the Schrems II decision of July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield agreement and defined the US as an inadequate processing location for European Economic Area (EEA) personal data.
This decision was largely motivated by the extensive investigative powers granted to US intelligence agencies. The Patriot Act and Cloud Act, in particular, allow these agencies to seriously compromise the integrity and confidentiality of data processed on US soil, or controlled by US companies.
Because of this inadequate legal environment, data controllers intending to import EEA personal data to the US are generally required to use suboptimal transfer safeguards, such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
II. A new hope for trans-atlantic data flow ?
Today, after the failures of the Safe Harbor and Privacy Shield agreements, this new Trans-Atlantic Data Privacy Framework will allegedly “provide a durable basis for trans-Atlantic data flows“. But how, one may ask ? The new legal mechanism hasn’t yet been fully publicized, but would include a US Independent authority able to monitor and restrain intelligence agencies activities.
Naturally, after two failed agreements and a general distrust regarding US intelligence activities, this announcement raised as many eyebrows as it did praises. The European Data Protection Board (EDPB), most notably, reacted cautiously to this declaration.
III. The legal checks to come
As required by the GDPR, the EDPB will be consulted before any adequacy decision is taken by the European Commission. While not binding, this opinion might give us a preview of the likely CJEU litigation to come. In a recent decision the EDPB announced it would be examining the effectiveness of :
- The mechanism controlling the necessity and proportionality of any personal data collection motivated by national security purposes;
- The planned redress mechanism regarding the EEA individuals’ right to an effective remedy and to a fair trial. This includes in particular the new supervisory authority’s independence, access to information, decision enforceability, and the ability to appeal from its decisions or inaction.
So, what will come of this ? Will the US legal system finally ensure an effective protection of EEA personal data ? Or is this again only empty guarantees made in the name of business interests and national security ?
Only time will tell.