News

U.S. and European Union Agree on a New Trans-Atlantic Data Privacy Framework

• By Kurt Mackie
• March 25, 2022

The Biden White House and the European Commission  have taken first steps in agreeing on a new "Trans-Atlantic Data Privacy Framework".

Once the agreement, which needs to be put into a legal document, is finalized, it then needs to be institutionalized with a court process to address complaints by EU residents about how their information gets processed by U.S.-based organizations. Processes that should take months to finalize.   

This U.S.-EU agreement will "enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties," contended Ursula von der Leyen, the European Commission's president, in a released statement.

Here's what the U.S. government agreed to under this new framework agreement, per the European Commission's announcement:

• The United States will "strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities."
• The United States will establish "a two-level independent redress mechanism with binding authority to direct remedial measures."
• The United States will "ensure compliance with limitations on surveillance activities."

Privacy Shield Concerns Said To Be Addressed
The new agreement is said to address the EU's Court of Justice "concerns" about an earlier "Privacy Shield" data privacy and data processing agreement with the United States. Privacy Shield has been on hold since the court's "Schrems II decision of July 2020."

Schrems II is a reference to Austrian citizen Maximillian Schrems, who had filed two complaints about U.S.-based Facebook's processing of his personal information.

Back in 2020, the EU's Court of Justice had indicated (PDF) that under the Data Shield agreement, the personal data of EU residents would be processed according to U.S. laws. Such processing didn't meet the conditions of EU data privacy laws, specifically the EU's General Data Protection Regulation, the court had indicated. Moreover, there was no U.S. court process for EU "data subjects" to contest the U.S. processing of personal data.

The Privacy Shield agreement has been in limbo since that 2020 Schrems II decision. However, U.S. and European Commission officials are now signaling a breakthrough of sorts, although specific agreement details apparently weren't published.

Plaintiff Schrems expressed skepticism about the new agreement in a March 25 Twitter post, saying that it "seems we do another Privacy Shield, especially in one respect: Politics over law and fundamental rights." He predicted that this new agreement will "fail again."

The Privacy Shield agreement itself had been a reworked agreement. It emerged after the EU's European Court of Justice scrapped an earlier "Safe Harbor" framework for the trans-Atlantic processing of data back in October of 2015.

The new data privacy agreement, if viable, could grease the revenue skids for U.S.-based service provider companies eyeing EU markets. Trans-Atlantic data commerce represents "$7.1 trillion" in trade, according to Biden's statement.

The current U.S. government, though, may not be in a position to achieve the goals set by Shrems II, suggested Gary LaFever, general counsel and CEO of Anonos, a maker of privacy data enablement software, in a released statement:

The ruling that invalidated the Privacy Shield (Schrems II) requires that a ruling be guaranteed in U.S. law (not likely to happen with the current US Congress) or with technical supplemental measures recommended by the EDPB [European Data Protection Board] and by the EDPS [European Data Protection Supervisors] that enable ongoing data processing while safeguarding the fundamental rights of EU citizens to privacy. Currently, the agreement meets neither standard.

Microsoft Pledges Support
Microsoft on Friday announced support for the new Trans-Atlantic Data Privacy Framework, pledging to both embrace it and "go beyond it."

The company plans to address the framework in two ways, according to Julie Brill, Microsoft's corporate vice president for global privacy and regulatory affairs and chief privacy officer.

First, Microsoft plans to challenge U.S. government demands to access personal data when those demands do not comply with the Trans-Atlantic Data Privacy and Security Framework.

Second, Microsoft plans to "actively participate in the judicial review of an individual's claim of harm related to Microsoft's public sector and commercial cloud services." It'll also pay "monetary compensation" to its public sector and commercial customers if data were disclosed unlawfully following a government request.