EU and USA reach an ‘agreement in principle’ after the “Schrems II” decision

On the 25 of March 2022, the European Commission and the United States of America government have announced that an agreement in principle on a new Trans-Atlantic Data Privacy Framework (“Framework”) has been reached.

The Framework, once adopted, will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”), in the Schrems II decision of July 2020, which declared the invalidity of the “Privacy Shield” mechanism adopted for data flows between EU and US (an earlier contribution providing clarifications and new measures after the “Schrems II” judgement was published on our TMT Data Protection Observatory and is available here).

As also declared by the competent authorities, the commitment on the US side, on which has been based the agreement on principle for the adoption of the new Framework, is to implement reforms and adequate measures for the privacy and the protection of personal data of individuals in the European Economic Area (“EEA”) when their data are transferred to the US.

Specifically, the new Framework reflects more than a year of negotiation between EU and US and takes into account the CJEU considerations and concerns raised in the Schrems II decision (namely, the US legislation did not meet the requirements of the EU law and did not grant data subjects enforceable legal rights against the US authorities).

In particular, the Framework shall ensure (as indicated in the Factsheet Trans-Atlantic Data Privacy Framework):

• data ability to flow freely and safely between the EU and participating US companies;
• a new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
• procedures to ensure effective oversight of new privacy and civil liberties standards that will be adopted by US intelligence agencies;
• a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by US intelligence authorities, which includes a Data Protection Review Court;
• strong obligations for companies processing data transferred from the EU, including the requirement to self-certify their compliance to the principles through the US Department of Commerce;
• specific monitoring and review mechanisms.

On the 6 of April 2022, the European Data Protection Board (“EDPB”) issued the Statement 01/2022 where welcomed the Framework. Notably, the EDPB recognises the commitment of the United States highest authorities to establish measures to protect the data of EEA-based individuals when transferred to the US.

However, it is worth noting that, since the Framework will now be translated into legal documents, the EDPB, in its Statement, declares that it “will examine how this political agreement translates into concrete legal proposals to address the concerns raised by the Court of Justice of the European Union (CJEU) in order to provide legal certainty to EEA individuals and exporters of data”. Specifically, for issuing the adequacy decision for the Framework, the European Commission must follow a multi-step process: following a written proposal drafted by the European Commission, the EDPB will review and issue an opinion concerning such proposal.

In any case, the EDPB also specifies that the announcement of the European Commission and United States does not constitute a legal framework on which data exporters can base their data transfers to the US. Indeed, during any transfer, at this time, they must continue to comply with the principles outlined in the CJEU decision in Schrems II.

Reminder: How EU data exporters can transfer data to the United States?

In the context of the Schrems II decision, the CJEU reminded that the protection granted to personal data in EEA must travel with the data, notwithstanding where such data is transferred, and that the level of protection in third countries does not need to be identical to that guaranteed in the EU, but it must be essentially equivalent.

Subsequently, as recalled in the EDPB’s FAQ adopted on the 23 of July 2020, in the absence of a decision pursuant to Article 45 of the Regulation (EU) 2016/679 (“GDPR”) or of appropriate safeguards pursuant to Article 46 of the GDPR, according to Articles 46 and 49 of the GDPR, data exporters may transfer data to the US by adopting other mechanism.

Specifically, a transfer to a third country (or an international organisation) can only take place if EU data exporter has provided appropriate safeguards and if data subjects have enforceable rights and effective remedies (as provided in Article 46(1) and (2)(c) of the GDPR). The appropriate safeguards may be provided for, without requiring any specific authorisation from a supervisory authority, by, among others, Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”).

The CJEU upheld the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses, as a transfer tool that may serve to ensure contractually and essentially equivalent level of protection for data transferred to third countries, provided that the underlying transfers must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected. On this regard, with reference to both the SCCs and the BCRs, the CJEU pointed out that:

• it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the relevant third country, in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice;
• if this is not the case, supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA should be adopted; the CJEU does not specify which measures these could be, it should be necessary to identify them on a case-by-case basis;
• in case the assessment determines that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, it will be necessary to immediately suspend the transfers or notify the competent supervisory authority.

On the 4 June of 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses for the transfer of personal data to third countries (“New SCCs”). New SCCs follow the draft decision published on the 12 of November 2020 and, among others, respond to the Schrems II decision. The New SCCs set out a process whereby the parties to the SCCs must undertake a transfer impact assessment and document the outcome, but provide no real guidance on what the outcome of that process should be.

On this regard, taking into consideration the necessity of carrying out a transfer risk assessment, the EDPB, with Recommendations 01/2020 “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” published on the 10 of November 2020 and, then, adopted on the 18 of June 2021, has laid out a roadmap to help exporters in the phase of assessment of third countries level of protection and, where needed, in the identification of supplementary measures that must be put in place for certain data transfer.

The roadmap comprises the following six steps:

• know your transfer;
• verify the transfer tool your transfer relies on;
• assess the law of the third country;
• identify and adopt supplementary measures;
• take any formal procedural steps the adoption of your supplementary measure may require;
• periodically re-evaluate the security of transfers and monitor if there have been or there will be any developments that may affect it.

Moreover, according to Article 49 of the GDPR, it is still possible to transfer data from the EEA to the US only if at least one of the conditions set out in the par. 1 is met. Specifically, in the event that the transfers are:

• based on the data subjects’ consent, such consent shall be explicit, specific for the particular data transfer or set of transfers and informed, particularly in relation to the possible risks of the transfer;
• necessary for the performance of a contract between the data subject and the controller, personal data may only be transferred when the transfer is objectively necessary for the performance of a contract and is occasional;
• necessary for important reasons of public interest (which must be recognized in EU or Member States’ law), the essential requirement for the applicability of this derogation is that the public interest has to be important. It should be borne in mind that the importance of public interest does not mean that such data transfers can take place on a large scale and in a systematic manner: such derogations need to be restricted to specific situations and each data exporter needs to ensure that the transfer meets the strict necessity test.

Furthermore, the EDPB on the 10 of November 2020 also adopted the Recommendations 02/2020 “on the European Essential Guarantees for surveillance measures” that provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be considered justifiable interference or not. On this regard, surveillance measures are considered justifiable with the following requirements:

• processing based on clear, precise and accessible rules;
• necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
• existence of an independent oversight mechanism should exist;
• availability to the individual of effective remedies.

In view of all of this, data exporters still have the chance to transfer data from the EEA to the US, but they must comply with the principles outlined in the CJEU decision in Schrems II and, in particular, with the above provisions, while waiting for the European Commission and the United States government to translate the new Framework into legal documents that will need to be adopted on both sides.