To some, the recently issued executive order on the new EU-US Data Privacy Framework may feel familiar. It was just seven years ago that the privacy world was fixated on the Court of Justice of the European Union (CJEU) and its ruling in the Schrems I case. The decision ultimately led to the downfall of the Safe Harbor framework and gave rise to the EU-US Privacy Shield.
As it happened, the EU-US Privacy Shield would only last four years before a second complaint made by Max Schrems would lead the CJEU to invalidate the framework in July 2020. In the 12 months following the decision, organizations had to contend with legal uncertainty over the lawfulness of their data transfers from the EU to the US with some European DPAs ruling that the use of certain US-based analytics services was unlawful.
While the European Commission’s newly revised Standard Contractual Clauses (SCCs) and the European Data Protection Board’s (EDPB) guidance on supplementary transfer measures gave organizations a revised mechanism and guidance for transferring data to the US, efforts to agree on a new trans-Atlantic data transfer framework that would meet the CJEU’s criteria, continued.
So, how is this new framework different from what came before? And, what happens next?
The Safe Harbor agreement
Take yourself back – the year is 2000 and the European Commission is making an agreement with its US counterparts on a mechanism that would protect the personal data of EU citizens transferred to the US by US-based companies. The agreement was built on a self-certification method that allowed companies to declare they are protecting the personal data of EU citizens in line with the terms of the agreement.
For more than a decade, organizations relied on the Safe Harbor agreement to move data from the EU to the US without having to rely on SCCs or other contractual obligations. However, in 2013 Edward Snowden revealed classified NSA documents to the wider world which shed light on the US government’s surveillance practices.
A complaint regarding such access was duly issued by Max Schrems to the Irish Data Protection Commission (DPC) regarding Facebook’s data-sharing practices from its European office to its US headquarters.
Following an escalation from the DPC to the CJEU, the Safe Harbor agreement was struck down – meaning organizations that relied on the agreement needed to put in place other contractual measures to ensure that personal data was protected to the same standard as provided by the Data Protection Directive.