Will the new EU-US privacy framework be the last we hear of Schrems?
If you are a fellow GDPR nerd you’ve been patiently waiting for a new EU-US adequacy decision since the 16th of July 2020 (for non-nerds, this is the day of the Schrems II judgment, when the Court of Justice of the EU examined the EU-US privacy shield and found limitations in its ability to protect data transferred between the EU and the US). Since the 13th of December 2022, your LinkedIn has also been filled with posts (and rants) about the first draft of the new EU-US Privacy Framework. Can we soon be assured that the hustle around, the many times inevitable, EU-US transfer is gone?
The new EU-US privacy framework may become the second adequacy decision issued by the European Commission (third if you also count Safe Harbour). The reason behind such a framework is to foster safe transfers between the EU and US, i.e. allowing data to flow over the Atlantic just like it can in the EU.
The preceedor(s) to the draft, Privacy Shield (and Safe Harbour) was invalidated by the EU court through the Schrems I and II cases (yes – I did just mention Schrems I). As the latter is more relevant today, the invalidation of Privacy Shield was mainly based on i) the US lack of regulations protecting privacy rights and ii) US intelligence authorities could potentially access EU citizen data inappropriately. In other words, the US was incapable of adhering to the GDPR standards.
Now, as we live in a global world, and the US holds the major IT companies, clouds, and vendors out there, it was always a matter of time until the EU would pass another adequacy decision.
The current draft is 134 pages long, and summing it up, the key takeaways are:
- US companies will be able to join the EU-US Data Privacy Framework, whereby they commit themselves to comply with the privacy standards set therein. For simplicity, one could see this as a certification for companies.
- Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security,
- An independent US Data Protection Review Court to which EU individuals can complain should their personal information be collected or used inappropriately will be set up.
So, can we soon rest assured that the hustle around transferring data to the US is over? Well, if the new framework is passed, we ought to have some breathing room if we are to engage in new US transfers with companies that have joined the framework.
Nevertheless, it might take some time for US companies to join and adhere to the new principles, whereby all the work you have been doing up until now is still very valuable. So don’t throw out your Transfer Impact Assessments, Standard Contractual Clauses, supplementary measures or even European cloud just yet.
On top of this – history shows that these EU-US frameworks tend to come and go (kudos to Max Schrems for revealing the flawed adequacy decisions adopted until now). I am not the first one to say that we might be looking towards Schrems III (and IV and V).
Dive deeper:
- The EU-US data privacy framework: Draft adequacy decision
- The Definitive Guide to Schrems II
- What should companies do while the EU works on the draft adequacy decision?
In the meantime, what is Precisely doing to protect your data?
As we live in an ever-changing legal world, the Precisely team see the benefit of implementing security and technical measures to move towards “independence” from the privacy legislation fluctuation. Our approach is that we offer bank-level encryption combined with key separation and EU storage. So, if the US Intelligence Authorities can’t even read the data about EU citizens, no matter how hard they try, do we really have a problem with the transfer? On top of this, we offer our customers the possibility to host the Platform on any cloud service they prefer, anywhere in the world. Learn more about our security measures here.
Disclaimer: this article is written for informational purposes only and shall not be seen as legal advice.