In July 2020, the Schrems II decision deemed the EU-U.S. Privacy Shield Framework inadequate for protecting data transfers and therefore invalid.
However, data still needs to move across the Atlantic. To facilitate this, the EU and U.S. created the Trans-Atlantic Data Privacy Framework — but what is it, and what does it mean for you?
- The EU courts invalidated the Privacy Shield Framework due to weak protections and the lack of a redress system.
- The new Data Transfer Framework tries to resolve these issues.
- We don’t know when the framework will be finalized, but there’s hope it’ll be enacted before the end of 2022.
The EU has long been at the forefront of privacy rights. Both the Data Protection Directive (DPD) and the General Data Protection Regulation (GDPR) were welcome changes, and as a result, many companies now hold, use and transfer data more responsibly.
However, the U.S. doesn’t have equivalent privacy legislation (which would allow for an adequacy decision) and the standard contractual clauses (SCCs) that allow third parties to trade data with the EU are far too slow and specific to facilitate the hundreds of billions of dollars in trade between the two.
That’s why it’s important to understand the Trans-Atlantic Data Privacy Framework, which will hopefully bridge the gap for companies that adopt procedures to protect user privacy.
The EU-U.S. Privacy Shield Framework was a set of regulations that, for participating companies, made data transfers from the EU easier. However, it was invalidated in 2020 due to inadequate protections.
The U.S. doesn’t have an adequacy decision, which would allow easy data transfers. Instead, the EU creates frameworks to help bridge the gap until U.S. privacy protections are sufficient for a future adequacy decision.
The Privacy Shield was invalidated mainly because it didn’t do enough to stop mass surveillance from U.S. national security agencies, and there wasn’t a good way for EU citizens to seek redress over mishandled data.
What Is the Trans-Atlantic Data Privacy Framework?
Much like the Safe Harbor and Privacy Shield legislation that came before it, the Trans-Atlantic Data Privacy Framework has one goal: to let companies transfer personal data between the EU and the U.S. without creating a loophole in the EU’s existing privacy legislation.
Who Is Affected by the Trans-Atlantic Data Privacy Framework?
There are two groups that are directly affected by this new framework: EU citizens and U.S. companies and organizations that are involved in cross-border commerce with the European Union.
However, the Privacy Shield principles were later used to guide legislation around cross-border commerce between other countries, particularly countries that are GDPR-compliant, like the U.K. and Switzerland.
Where Did the Trans-Atlantic Data Privacy Framework Come From?
Data privacy between the EU and the U.S. has been a problem since the EU signed the DPD and set it to be enforced by the end of 1998. This created a countdown that could have prevented the very valuable trade of data across the Atlantic.
The 7 Safe Harbor Principles
To stop this from happening, seven Safe Harbor principles were created about how organizations must interact with individuals whose data they collect. Below is a quick summary, but you can read all the details here.
- Notice: Giving individuals about the purpose of organizations collecting and using their information, plus how to contact the organization, etc.
- Choice: Giving individuals the choice of having their personal information disclosed to third parties.
- Onward Transfer: Making sure if an organization transfers information to a third party, the latter must also subscribe to the Safe Harbor Privacy Principles.
- Access: Giving individuals the right to access their personal information to correct, amend or delete it if inaccurate.
- Security: Ensuring organizations to take precautions to protect personal information.
- Data Integrity: Ensuring personal information is relevant to the purpose of use.
- Enforcement: Ensuring compliance with the principles by making available options for investigation, verification of commitments to the principles, and the obligation to remedy failure of compliance.
The idea was that any U.S. organization that followed these principles could safely receive and handle EU personal data.
The Schrems I Case
After the U.S. government surveillance controversy in 2013, complaints filed by the lawyer Max Schrems about Facebook’s lack of adequate protection for personal data were escalated to the Court of Justice of the European Union (CJEU).
In this case, commonly referred to as Schrems I, the CJEU ruled that the Safe Harbor principles were inadequate. This meant that, when the case concluded in October 2015, the U.S. and EU had just three months to find an alternative, or the EU would treat U.S. companies like any other third party and force them to create and use specific SCCs.
Within days a new deal was being worked on, allowing companies to continue transferring data. In July 2016, the EU finally approved the Privacy Shield, with added protections such as closer monitoring of compliant companies, assurances that the U.S. would enact better safeguards and a dedicated ombudsperson — an alternative dispute resolution process to help fix issues.
The Schrems II Case
However, the Privacy Shield didn’t go far enough, and was doomed to fail from the start. In July 2020, just four years after it was signed, the Schrems II court case ruled the Privacy Shield inadequate and therefore invalid, so U.S. companies were once again treated like a third party.
For a third time, the U.S. and the EU were back into detailed negotiations. In March 2022 they made a joint statement, announcing that they had agreed to the Trans-Atlantic Data Privacy Framework in principle, and that they were just working out the final specifics.
Why Did the EU Court of Justice Invalidate the Privacy Shield Framework?
Under GDPR, the EU has far stronger data privacy and more direct remedial measures than the U.S. has. The intention of the Privacy Shield was to bridge that gap, and the CJEU decided it didn’t do enough.
The first major issue was that the U.S. could still undergo mass surveillance without the proportional, defined national security objectives that EU member states usually need to circumvent data protection laws in the name of safety.
The second problem is the lack of a good redress system to complain about the mishandling of data and to correct any wrongs. There isn’t an independent and binding authority that can argue on behalf of EU individuals when U.S. intelligence activities unreasonably overstep protections.
What Does the Trans-Atlantic Data Privacy Framework Do Differently?
We don’t yet have the final, signed legal documents, and theoretically anything could change until it’s formally signed into law. However, we do know the key issues that this new framework is trying to resolve.
On top of the key principles of the Privacy Shield, it’s set to include:
- New safeguards on signals intelligence activities.
- New, two-tier redress system that includes a data protection review court for resolving complaints (similar to the European Data Protection Board).
- Greater oversight to ensure relevant organizations are following civil liberties standards.
Ultimately, this should mean that U.S. companies and intelligence agencies will be limited in how they can use personal data if the company is involved with international data transfers. Additionally, concerns raised about how data is handled can go through this new redress mechanism, which will hopefully solve them faster.
When Will the Trans-Atlantic Data Privacy Framework Become Official?
Trans-Atlantic data flows have been held up for over a year since the Schrems II case, using the slower and less-efficient SCC system, as they wait for this framework to be finalized. Because of this, both the EU and the U.S. want to pass it through as quickly as possible. However, there are still some steps that need to be done first.
The biggest hurdle is that the relevant branches of the EU all need to agree on the final text, and then it needs to be signed by the European Commission. Not surprisingly, getting all 27 countries to agree can take a long time and any changes pushed by the EU would need to go back to the U.S. for approval, making this a very long process.
Then, once it’s signed and implemented by the European Commission, these changes are expected to be drafted as an executive order in the U.S. to ensure the transition on the American side is smooth and swift.
However, since the first two attempts have already failed, Max Schrems and his privacy group “None of Your Business” have already stated that they’re ready to take this to court in a theoretical Schrems III case if the new framework isn’t good enough.
Final Thoughts: US-EU Data Protection
Ultimately, there’s still a lot we don’t know. However, after more than a year with no information, the news that the new Data Privacy Framework could come soon with better protections for your data and multiple avenues to resolve complaints is welcome.
We can’t say for sure if this one will last or if there will be another controversy and court case in a few years, but it seems to be a step in the right direction. We’ll also be sure to update this article if something major changes, although that could take some time, as bureaucracies move slowly.
How do you feel about the new Trans-Atlantic Data Privacy Framework? Do you think this one will last? Do you think the U.S. will strengthen its privacy laws? Let us know your thoughts in the comments below. Thanks for reading.