EU and US on course to adopt Schrems II-compliant transfers framework

On March 25, 2022, The European Commission and the United States Government announced they had “agreed in principle” on a new Trans-Atlantic Data Privacy Framework (”Framework”) to enable flows of personal data from the EU to the U.S. in compliance with the adequacy standards set out by the Court of Justice of the European Union (“CJEU”). The parties will now draft “legal documents” to reflect the agreed principles.

Legal background

The Framework will replace the Privacy Shield, which the CJEU invalidated in its Schrems II decision on July 16, 2020. Two key shortcomings of the Privacy Shield identified by the CJEU in Schrems II were that:

  • U.S. laws regulating the access and use by the U.S. intelligence community of personal data imported from the EU into the U.S., in particular § 702 of Foreign Intelligence Surveillance Act and Executive Order 12333, were not circumscribed in a way to provide protections ”essentially equivalent” to the principle of proportionality under the EU Charter of Fundamental Rights (the “EU Charter”).
  • The Ombudsperson Mechanism established by the Privacy Shield did not provide individuals whose data was transferred to the US with a means of redress in respect of the actions of the US intelligence community which was ”essentially equivalent” to the right to an effective remedy before an independent and impartial tribunal previously established by law which is guaranteed by Article 47 of the EU Charter.

The new Framework

Consistent with the Privacy Shield’s structure, the Framework will require participating companies to self-certify their compliance with certain data protection obligations (“Privacy Shield Principles”) when transferring European personal data to the U.S. It does not appear the Privacy Shield Principles will change under the Framework (likely a comfort to the 3,316 organizations who maintained “active” Privacy Shield certifications even though they could not rely on it as a mechanism for EU-U.S. transfers over the past two years).

However, unlike the Privacy Shield, the Framework is expected to include a new Executive Order codifying U.S. Government commitments to reform its signals intelligence activities. According to a joint statement by the White House and the European Commission, the Executive Order will commit the U.S. Government to provide:

  • Enhanced privacy and civil liberties safeguards and oversight of U.S. intelligence authorities; and
  • Binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect defined national security objectives.

In addition, and crucially, the Executive Order will establish a new two-tier redress mechanism to investigate and resolve complaints from Europeans relating to access to data by U.S. Intelligence authorities. The mechanism will include a Data Protection Review Court (the “DPR Court”), which will consist of individuals chosen from outside the U.S. Government, with full authority to adjudicate claims and direct remedial measures as needed.

Will the Framework satisfy Schrems II?

The reforms to signals intelligence activities, combined with the establishment of the DPR Court appear designed to specifically address the issues identified in Schrems II. The question is whether the CJEU, if it is ever asked to rule on this again, will agree that they do so. Although it will only be possible to fully assess this once the legal documents have been finalised, one key question is likely to be whether a court that is "essentially equivalent" to the independent and impartial tribunal guaranteed by the EU Charter can be validly established by a U.S. Executive Order.

Executive Orders are directives from the President of the United States that provide the U.S. Government with operational instructions in areas assigned to presidential authority. Executive Orders have the force of law, but the U.S. President is only able to give orders within his scope of authority under Article II of the U.S. Constitution and by statutory grants of authority from Congress. Put differently, Executive Orders cannot create new federal law: that is the role of the U.S. Congress.

In light of these constitutional limitations, there is likely to be a particular focus on whether the DPR Court meets the requirements set out by the CJEU in Schrems II of being:

  • Validly established by law (Schrems II, paragraphs 187 and 196);
  • Sufficiently independent from the U.S. Executive (Schrems II, paragraphs 194 and 195); and
  • Authorized to require appropriate corrective action by  U.S. intelligence authorities, including by requiring them to fulfil data subject rights of access, rectification, and erasure (Schrems II, paragraphs 187 and 194).

An obvious question from the European perspective is why the U.S. Government has not chosen to sidestep these questions by establishing the DPR Court by means of primary legislation. The practical answer may relate to the length of time that passing such legislation would likely take and the urgent need to find a solution in light of recent European regulatory action relating to the new Standard Contractual Clauses.

However, this does not mean that "essential equivalence" cannot be met by means of an Executive Order. For example, the U.S. Attorney General, a member of the U.S. Executive, has existing procedures in place by which it can appoint independent Special Counsel to investigate circumstances which could otherwise give rise to a conflict of interest. It is possible that appointments to the DPR Court would be similarly modelled, in order to ensure sufficient independence.

Ultimately, while it is not yet clear that the Privacy Shield Principles will fundamentally change, the Framework already promises to be a significant evolution from Privacy Shield because of expected commitments by the U.S. Government to implement mechanisms that address the CJEU’s concerns about EU fundamental rights. Whilst there are still questions to be resolved, stakeholders have reason to be optimistic that a pragmatic and resilient solution to transatlantic data flows will emerge.

Next steps

The parties will now draft “legal documents” to reflect the agreed principles. The legal documents constituting the Privacy Shield took around 6 months to draft, although there will be significant pressure to finalize the arrangement as quickly as possible. In the meantime, companies should continue to rely on suitable transfer mechanisms when transferring EU personal data to the U.S. For many, this will continue to be the standard contractual clauses together with transfer impact assessments.

Kathleen McGrath, a Knowledge Paralegal in our London office, assisted with this post.

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.