The EU and US have entered into a preliminary political deal about a new transatlantic data transfer agreement between them, necessary due to the invalidation of the Safe Harbor agreement and Privacy Shield. The legal text for the so-called ‘Trans-Atlantic Data Privacy Framework’ is yet to be published, but Max Schrems (instigator of the Schrems II judgement of the European Court of Justice) appears to be warming up for another round against the replacement of Privacy Shield. He also made some very valid points to temper overeager enthusiasm for this deal. Furthermore, this political deal is by no means a sign that Privacy Shield 2.0 shall soon be launched, although it is certainly eagerly awaited.
By Cécile van der Heijden
While the deal between the European Commision and the US government is a positive sign, there is still a lot of work required, so hold on to those party flags yet. Both the political deal and the subsequent legal text which we are currently awaiting are a necessity as it is practically impossible to halt all transfers of data between the EU and US (nor can all such transfers be based on data subject consent). Due to the particulars of US law, standard contractual clauses can – in practice not achieve the standard required under the Schrems II decision and the supplementary measures guidance of the European Data Protection Board.
A couple of things about the setup of the framework can already be derived from the statements published by the US government. From a implementation point of view, I am glad to note that it seems that the new framework will require compliance with the Privacy Shield Principles which a lot of US-companies already had in place. In this light, it is encouraging to see that the framework appears to address the activities of the US intelligence community rather than striving to fully replace Privacy Shield with a new privacy schedule which requires major investments (both financially and in human resources) from businesses. However, from a more substantial point of view, there are significant concerns that need addressing in the legal text.
In its press release, the US government has expressed it’s commitment to implement “new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit fo defined national security objectives.”[1] An interesting development following the same White House statement about the Trans-Atlantic Data Privacy Framework shows that legal redress for EU-citizens will be created in the form of an ‘independent Data Protection Review Court’. According to the statement this court would have “full authority to adjundicate claims and direct remedial measures as needed”.[2] The lack of judicicial review, particularly in light of the USA’s surveillance activities, was one of the major issues noted by the European Court of Justice in Schrems II.
Notwithstanding all diplomatic language and the new legal redress option described, it is entirely unclear whether the Trans-Atlantic Data Privacy Framework will sufficiently address these issues to the level required by Schrems II due to the powers the USA grants to its intelligence services. In the Schrems II decision the European Court of Jusitice denounced in particular the rights of the intelligence services rights under the Foreign Intelligence Surveillance Act (FISA) as well as under executive order 702. FISA allows for the use of lawfully collected information in judicial proceedings in line with specific procedures.[3] However, earlier this month, the US Supreme Court decided in FBI vs. Fagaza that the US Congress has not made it impossible to cite state secrets in relation to spying / surveillance activities, meaning that the argument of the information qualifying as state secrets can be used to overrule FISA. FISA does not override the state secret privilege argument. In other words: this decision permits the government shielding information in court cases, limiting the possibility significant legal redress in survaillance cases. It appears that any serious option of legal redress for foreign data subjects will require action from the US congress due to the aformentioned decision.
Legislators on both sides of the Atlantic are drafting the legal text for the framework at the moment and I look forward to seeing this text in full instead of having to rely on diplomatic language. While I am happy that there is some pragmatism on the consequences of yet another transfer mechanism (adoption of the principles of Privacy Shield), I am not confident yet that there is sufficient attention for the serious issues signaled by the European Court of Justice in Schrems II. It will be paramount for the legislators to consider the data protection aspects relating to the actual access US surveillance agencies can have to personal data from European subjects in order to meet the very real objection raised against Privacy Shield in order for the Trans-Atlantic Privacy Framework to be a lasting solution. Otherwise the framework could just be a ‘Schrems III’-decision in the making.
[1] https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework (last viewed on 27 March 2022).
[2] https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework (last viewed on 27 March 2022).
[3] Syllabus to SUPREME COURT OF THE UNITED STATES, 4 March 2022 (FEDERAL BUREAU OF INVESTIGATION ET AL. v. FAZAGA ET AL.).
About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law and healthcare law in the life sciences sector and Floris van der Laan, a paralegal with interest in technology and its connection to EU privacy and data protection law. Both are based in Amsterdam, the Netherlands.
This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.
DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via: cecile.vanderheijden@axonlawyers.com
Life Sciences & Privacy Blog 