The world of EU-US data transfers was thrown into complete upheaval when Europe’s highest court ruled on the Schrems II case in 2020. The extended process of hashing out a replacement framework that meets these new legal standards has now entered its advanced phase, as the European Commission (EC) has put its stamp of approval on a US proposal and has passed it along to the European Data Protection Board (EDPB) for further review.
The US proposal for a new EU-US data transfer framework that meets established General Data Protection Regulation (GDPR) standards was drawn up in early 2022, with the Biden administration and EC president Ursula Gertrud von der Leyen formally reaching an agreement in principle in March. An October executive order by Biden formalized this as the US’s intended policy going forward, and the EC has concluded that the proposal meets the GDPR requirements as seen through the lens of Schrems II. The EDPB will now scrutinize the arrangement before passing it on to the EU member states and the European Parliament for final decisions.
EU-US data transfer replacement moves along with European Commission’s blessing
The EC review was the first step in the fairly lengthy adoption procedure; the EDPB, a committee composed of members of the EU states, and the European Parliament will all now have a look and a say before a new EU-US data transfer agreement is formally put into place. If the proposal clears all of these reviews, it heads back to the EC for the final steps before it becomes the new law of the land.
The Schrems II decision hinged primarily on the fact that the US has both overt laws and private intelligence agency practices (as revealed by the Snowden leaks) that put the personal data of foreign parties into the hands of the government in an overbroad and indiscriminate way. The EU’s highest court determined that this violates the terms of the GDPR, and that the US cannot be considered an adequately safe partner for data transfers until assurances of privacy are put into place.
One of the central points of the Schrems II decision was that the GDPR guarantees EU citizens a certain level of visibility into what data is being taken and how it is being used, and ability to challenge this process if they feel their information is being misused or inappropriately accessed. The new EU-US data transfer framework addresses this with a set of several different mechanisms, including an ability to initiate disputes and a formal resolution process that includes free access to an independent arbitration panel. The Data Protection Review Court will be the comprehensive body that handles this process, and it will include complaints about how US intelligence agencies may be surreptitiously intercepting and using EU personal data.
Will new EU-US data transfer arrangement survive a legal challenge?
The EU-US data transfer issue actually dates back to well before 2020, and even before the GDPR was implemented. As the “Schrems II” name implies, there was a prior 2015 case involving privacy crusader Max Schrems that invalidated the original “Safe Harbor” framework due to its reliance on self-certification by companies handling EU personal data.
Schrems is all but certain to challenge the new EU-US data transfer framework in court, no matter what the eventual terms are. EU justice commissioner Didier Reynders has told the media that he feels the new framework has about a “70 to 80%” chance of surviving its eventual trial in court, a concerning prospect given how long this process has been drawn out for already.
Officials are seeking to have the new EU-US data transfer framework in place and usable by July 2023, but with a court challenge likely to immediately follow, it could very well be gone again by 2024 or 2025. The one element that could ensure a new framework stays in place is well beyond the EU’s control; the US government would have to pass a comprehensive federal data privacy law that addresses how intelligence agencies gather and handle foreign personal information flowing into the country. In the meantime it is a patchwork of the US government providing limited assurances and redress measures, and companies at the EU end attempting to keep data encrypted throughout the process in a way that keeps it from being intercepted by intelligence agencies.
Major tech firms are facing ongoing investigations over the legality of their present data transfer systems, some of which have been in motion for over a year now and could ultimately end with a ruling forbidding them from sending EU data back to their home servers in the US. They would not necessarily be off the hook for potential penalties related to these present data transfers if a new data transfer framework was adopted first, but would at least be provided with a temporary legal path to continue.
Schrems’ privacy group noyb had issued a statement saying that it is studying the draft agreement in detail, but feels that it is not adequate and proportionate to GDPR requirements and will not survive a court challenge should the group opt to bring one. The group notes that the two sides are using different language to describe how data will be protected, and there is presently insufficient detail establishing exactly how the US measures will meet the prescribed GDPR proportionality standards. However, some independent legal analysts have said that the draft agreement pointedly addresses areas that had been specifically criticized by the prior court decisions, and that existing issues can still be addressed before a new EU-US data transfer compact is finalized.