To some, the recently issued executive order on the new EU-US Data Privacy Framework may feel familiar. It was just seven years ago that the privacy world was fixated on the Court of Justice of the European Union (CJEU) and its ruling in the Schrems I case. The decision ultimately led to the downfall of the Safe Harbor framework and gave rise to the EU-US Privacy Shield. 

As it happened, the EU-US Privacy Shield would only last four years before a second complaint made by Max Schrems would lead the CJEU to invalidate the framework in July 2020. In the 12 months following the decision, organizations had to contend with legal uncertainty over the lawfulness of their data transfers from the EU to the US with some European DPAs ruling that the use of certain US-based analytics services was unlawful.

While the European Commission’s newly revised Standard Contractual Clauses (SCCs) and the European Data Protection Board’s (EDPB) guidance on supplementary transfer measures gave organizations a revised mechanism and guidance for transferring data to the US, efforts to agree on a new trans-Atlantic data transfer framework that would meet the CJEU’s criteria, continued.

So, how is this new framework different from what came before? And, what happens next? 

The Safe Harbor agreement

Take yourself back – the year is 2000 and the European Commission is making an agreement with its US counterparts on a mechanism that would protect the personal data of EU citizens transferred to the US by US-based companies. The agreement was built on a self-certification method that allowed companies to declare they are protecting the personal data of EU citizens in line with the terms of the agreement. 

For more than a decade, organizations relied on the Safe Harbor agreement to move data from the EU to the US without having to rely on SCCs or other contractual obligations. However, in 2013 Edward Snowden revealed classified NSA documents to the wider world which shed light on the US government’s surveillance practices. 

A complaint regarding such access was duly issued by Max Schrems to the Irish Data Protection Commission (DPC) regarding Facebook’s data-sharing practices from its European office to its US headquarters. 

Following an escalation from the DPC to the CJEU, the Safe Harbor agreement was struck down – meaning organizations that relied on the agreement needed to put in place other contractual measures to ensure that personal data was protected to the same standard as provided by the Data Protection Directive. 

EU-US Privacy Shield

Less than six months after the invalidation of the Safe Harbor agreement, parties in the EU and US began negotiations over a new framework to offer stronger protections for EU citizens’ personal data. In July 2016, the European Commission formally adopted the EU-US Privacy Shield – allowing organizations to once again be able to transfer the personal data of EU citizens to the US in reliance of this mechanism. 

During this time, Max Schrems had already filed a second complaint with the DPC. On this occasion, focused on Facebook’s use of SCCs to transfer personal data from the EU to the US. Again, the complaint was referred to the CJEU along with 11 questions for the court to address. Among them was whether the recently adopted Privacy Shield was a suitable mechanism for protecting EU personal data from US government agencies. 

It wasn’t. On July 16, 2020, the CJEU issued its long-awaited decision in the Schrems II case declaring the EU-US Privacy Shield invalid. The court upheld the use of SCCs but cast serious doubt over their effectiveness as they were being used. 

The fallout from the Schrems II case

While the invalidation of an EU-US transfer framework was not a new scenario for organizations to contend with, the additional fallout and uncertainty surrounding the validity of SCCs and other transfer mechanisms was. 

On November 12, 2020, the European Commission published a set of revised SCCs for public consultation that were adopted in June 2021. Just days later, the EDPB adopted its final recommendations on supplementary transfer measures that highlighted a six-step roadmap which included the need to conduct a Transfer Impact Assessment and identify and implement appropriate supplementary measures for transferring personal data to a third country. 

Like in 2015, organizations were once again left having to rethink the way that they approach personal data transfers. Only this time they were also required to update existing contracts with the new SCCs within an 18-month transition period and ensure that supplementary measures were in place to ensure an essentially equivalent level of data protection. 

New EU-US Data Privacy Framework and beyond

President Biden’s Executive Order is the latest development in a story that has been unfolding for more than 20 years. It marks the beginning of a new chapter for EU-US data transfers – one that may provide more legal certainty for organizations. 

As part of the new framework, national surveillance agencies will be held to stricter standards for what personal data they can access and how they can access it. A clearer definition of what is deemed “necessary and proportionate” will help set the guard rails for government access and data subjects will also have access to a multi-layered redress mechanism in cases of non-compliance – an area that was central to the CJEU’s decision to invalidate the EU-US Privacy Shield. 

The draft agreement will now make its way through the ratification process in the EU where the European Commission will review the draft framework and formally issue an adequacy decision. This process may take up to six months, meaning that the formal adoption of the framework may not be until March 2023. 

And who knows, there might be a Schrems III by then.

Watch the OneTrust DataGuidance webinar “EU-US Data Privacy Framework: Reaction and Analysis” to hear initial opinions on the framework from a panel of industry experts.