U.S. and E.U. Reach Agreement Over Personal Data Transfer Mechanism

After years of negotiation, there could soon be a new legal framework that enables personal data to flow freely between the U.S. and the E.U.

The announcement comes as the European Commission confirmed that it had begun the process of adopting an adequacy decision regarding the U.S.

The framework, referred to as the EU–US DPF (Data Privacy Framework), is set to replace the Privacy Shield, which was invalidated by European courts in 2020 as it failed to uphold the requirements of EU law.

Since then, organizations have had to rely on standard contractual clauses or binding corporate rules – alongside supplementary technical measures to protect personal data – while talks about a replacement mechanism continued.

The draft text, which is available to read online, aims to balance the requirements of the E.U. GDPR (General Data Protection Regulation) with the U.S.’s notoriously lax rules on data privacy.

For instance, federal law permits the U.S. government to monitor personal data transfers into the country, which is considered a privacy violation under E.U. law.

This was one of the main criticisms against the Privacy Shield and one the primary reasons that it was invalidated. After the E.U. rejected two previous proposals, the parties have finally come to an agreement.

Bipartisan agreement

It has been clear for some time that the European Commission was not going to budge over its stance on data transfers.

Even if it wanted to, the privacy activist group noyb, led by Max Schrems, has been keenly scrutinizing E.U. rules and has been quick to mount legal challenges against practices that fail to uphold data privacy laws.

The onus has therefore been on the U.S. to meet the requirements outlined in the GDPR. Efforts ramped up following the election of President Biden, and in October 2022, he signed an Executive Order to Implement the EU-US Data Privacy Framework.

A White House fact sheet outlined the objective of the EU–US DPF. It notes that the framework implements “new privacy and civil liberties safeguards” that “will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law”.

Following the European Commission’s confirmation of the agreement, the E.U. Justice Commission gave the following statement:

Today’s draft decision is the outcome of more than one year of intense negotiations with the US that I led together with my US counterpart Secretary of Commerce Raimondo. Over the past months, we assessed the US legal framework provided by the Executive Order as regards the protection of personal data.

We are now confident to move to the next step of the adoption procedure. Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic.

The future Framework will help protect the citizens’ privacy, while providing legal certainty for businesses. We now await for the feedback from the European Data Protection Board, Member States’ experts and the European Parliament.

Meanwhile, Reynders told a Politico event that he hoped the new agreement would be finalised before July 2023.

What does Max Schrems have to say?

Max Schrems has been a thorn in EU regulators’ sides, having led the legal challenges that ultimately dismantled the Privacy Shield and its predecessor, Safe Harbour.

So, what does his privacy activist group think about the Data Privacy Framework? Unsurprisingly, they’re not convinced that the new agreement addresses their original concerns – not least because the framework doesn’t actually require U.S. organizations to comply with the GDPR.

“For example,” noyb explains, “they don’t even need a legal basis for processing, such as consent.”

Schrems commented: “We will analyze this package in detail, which will take a couple of days. At first sight it seems that the core issues were not solved and it will be back to the [European Court of Justice] sooner or later.”

Should we therefore expect another complaint? Didier Reynders hasn’t dismissed the possibility, telling reporters that the framework had a “7 or 8 out of 10” chance of withstanding a legal challenge.

So, for the time being, we can celebrate that progress is being made but proceed with caution. We’ll know more in a few months about whether the Data Privacy Framework will see the light of day – and only then should organizations start bracing for the prospect of smoother transatlantic personal data flows.