The European Commission and United States announce new trans-Atlantic Data Privacy Framework
In the Schrems II decision, the Court of Justice of the European Union held that the EU-US Privacy Shield – the previous framework regulating trans-Atlantic personal data transfers – was invalid. Although the Court left open the use of Standard Contractual Clauses for data transfers, its judgment cast some doubt on their appropriateness for international data transfers. As a result, data transfers between the EU and US have, since Schrems II, proceeded on an uncomfortable basis.
Step forwards the newly announced and ‘agreed in principle’ trans-Atlantic data privacy framework – the product of protracted negotiations between the EU and US. As the Privacy Shield purported to, the new framework aims to ensure that data protection standards are upheld on both sides of the Atlantic.
The framework’s scope extends to private actors and public authorities. Private companies will have to self-certify compliance with the new framework, as they did under the Privacy Shield.
As regards public authorities, the US has committed to implementing new safeguards to regulate how data is obtained and used for intelligence purposes, limiting access to data by US intelligence services to that which is necessary and proportionate to protect national security.
Given that the framework has only been agreed in principle, only a limited amount of information concerning the intended privacy framework has been published. Nonetheless the information which been published gives rise to interesting questions.
For example, the new framework will introduce a mechanism for data subjects based in the EU to seek redress if they believe they are unlawfully targeted by signals intelligence activities. Of note is that this redress mechanism will include a Data Protection Review Court. It is unclear what jurisdiction that court will have, or how its decisions will influence judgments of the CJEU or the domestic American courts (if at all).
Such questions, and potential legal hurdles, will come into sharper focus once the final text is published.
A monthly data protection bulletin from the barristers at 5 Essex Chambers