Agreement “in principle” on Trans-Atlantic Data Flows

by Matthias Horn//

On March 25th the EU Commission and the United States announced an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework.

The agreement aims to foster – or rather maintain – Trans-Atlantic personal data flows the legality of which has been the subject of intense debate since the Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020. Already in 2015, the Court invalidated the Safe Harbor-Framework with a similar reasoning (Schrems I). After intense negotiations between the Obama administration and the European Commission, both sides created Safe Harbor’s replacement with the Privacy Shield. However, in 2020, the CJEU also invalidated the trans-Atlantic agreement, creating a legal uncertainty for thousands of companies that exchange data across the ocean.

Schrems I, II: No actionable rights of redress for EU citizens and lack of proportionality

The key of the decisions is the assessment of the CJEU that the US does not meet the prerequisite of “essentially equivalent” privacy protection for government access to data. The challenge is that essential equivalence is required with respect “to any access by the public authorities to the personal data transferred [and] the relevant aspects of the legal system of that third country.”In short there must be “essential equivalence” to EU safeguards with respect to how the government might access the data.

In particular, the CJEU ascertained that the U.S. surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) or EO 12333 do not grant “actionable” rights of redress through “an independent and impartial court.” The CJEU accentuated that “the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law” and appended that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her” fails to “respect the essence of the fundamental right to effective judicial protection,” as set forth in Article 47 of the EU Charter of Fundamental Rights. The judges also addressed that the sheer scope and scale of U.S. intelligence activities of bulk personal data collection programs conducted harms the fundamental principle of proportionality.

The decisions lead to extreme legal uncertainty for all organisations conducting Trans-Atlantic Data Flows. Especially the Big Techs quintette, but also EU based corporations are warning fervently of a blackout of Trans-Atlantic Data Flows. Several investigations of Europe’s Data Authorities, like the procedure on Facebook’s EU-US data flows are seen as a Damocles sword that could suddenly blackout applications, services and infrastructures. The new EU Standard Clauses published by the EU Commission in June 2021 addressing the Schrems II findings could not clear out the legal uncertainty as this new guarantees can’t really tackle the above described legal challenge of “essential equivalence”.

The proposed solution: Reforms of U.S. signals intelligence activities

The new agreement now tries to address these findings of the CJEU. Under the new Trans-Atlantic Data Privacy Framework, the US Administration committed to put in place new safeguards to ensure that signals surveillance activities are “necessary and proportionate in the pursuit of defined national security objectives”. The aim is to establish a “two-level independent redress mechanism with binding authority to direct remedial measures and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities”.

Currently, the Biden Admin is planning to address the respective legislative changes via an Executive Order and subsequent regulations from the U.S. attorney general’s office. If this is sufficient to clear out the findings of the CJEU is – at least – discussable. In this context, a recent decision of the US Supreme Court is noteworthy as it reasoning hints to more sustainable legislative measures than Executive Orders.

Assessment: A Political LOI

The agreement has to be regarded rather as a political letter of intent than a legally conclusive solution of the challenge. It remains to be seen how the commitment of the U.S. administration to implement reforms of U.S. signals intelligence activities will be realised concretely.

But that does by no means entail that this agreement is valueless. It is evident that Russia’s Invasion of Ukraine played a crucial role in accelerating this political agreement. After years of divergence of and eroding mutual trust between the countries of the so called west, the agreement maybe signifies a pendulum turn. As the two Schrems-decisions to certain extend are to be interpreted as a judicial embodiment of the divergence between EU and the US in aftermath of the “Snowden Revelations” in the Summer of 2013, this agreement could be starting point of an of improved transatlantic cooperation recognizing our different legal cultures. Part of this should be an honest self-examination of the surveillance legislation of some EU countries, which are to some extent comparable to the ones of the US.

In conclusion, we must see how this political stride will be transposed. Didier Reynders recently announced that he is expecting a final agreement at the End of 2022.

Matthias Horn, Lawyer for Data Law at Axel Springer SE