In the wake of the invalidation of the Privacy Shield, the EU and the U.S. have been working to establish a new Trans-Atlantic Data Privacy Framework. This framework aims to facilitate the free flow of personal data from the EU to the U.S. while addressing concerns raised by the Court of Justice of the EU (CJEU) in the Schrems II case. The recent adoption of this framework in July 2023 through an Adequacy Decision is a significant step, but questions remain about its potential impact on EU digital sovereignty.
The Evolution of Data Privacy Arrangements
The Privacy Shield, once the informal agreement between the EU and the U.S., allowed companies to self-certify their adherence to European data protection standards. However, the CJEU deemed it inconsistent with EU law and the GDPR, leading to its invalidation in July 2020. Subsequently, a new framework was sought to address government surveillance and judicial redress concerns.
The Birth of the New Trans-Atlantic Data Privacy Framework
In October 2022, President Biden issued an Executive Order aiming to align with a new framework that would meet the CJEU’s requirements. Utilizing this EO, the European Commission recently established the Adequacy Decision in July 2023, recognizing a new Privacy Shield framework in which the U.S. provides equivalent data protection to the EU for data trans-Atlantic data flow.
Key Features of the Updated Framework
The new framework introduces crucial measures to address the concerns raised in Schrems II. It establishes a Data Protection Review Court and limits U.S. intelligence services’ access to necessary and proportionate information from EU data. Additionally, there is a substantive limitation on U.S. national security authorities access to data, and a new redress mechanism is put in place. These provisions aim to offer a durable legal basis for trans-Atlantic data flows.
EU Business Benefits
The new framework will foster EU business with the U.S., enabling more straightforward cross-border data transfers. This will support the EU’s annual ~1 trillion euros of trans-Atlantic trade with the U.S. and offer participating companies a new set of self-attesting obligations for the updated Privacy Shield.
Uncertainties and Challenges
However, uncertainties remain about the new framework, and Schrems has commented that the latest revision was inadequate. Should it face a similar fate to the original Privacy Shield, there would be disruptions to data flows, potentially impacting EU businesses’ operations. Additionally, the new framework does not cover industrial data transfer, which plays a crucial role in the EU’s digital economy. The framework’s focus on personal data may leave non-personal data transfers exposed to risks arising from the U.S. Cloud Act and potential government access to EU data.
Implications for EU Digital Sovereignty
While the new framework facilitates the flow of personal data between the EU and the U.S., it may not directly address the EU’s broader ambitions for enhanced digital sovereignty. The EU will continue to seek technology solutions immune from foreign jurisdictions and safeguard its sovereignty for data handling.
Conclusion
The updated EU-U.S. Trans-Atlantic Data Privacy Framework is a significant step forward in governing data transfers and upholding privacy standards. However, there are concerns about its long-term viability and scope in addressing all aspects of EU digital sovereignty. The EU will likely keep exploring measures to assert digital independence while promoting secure data flows in an increasingly interconnected world.