What You Need To Know About The New Trans-Atlantic Data Privacy Framework

It’s A Tightrope We’ve Been On Before

U.S. companies currently have no legal basis for holding the data of EU citizens, even in European data centers. But change is once again on the horizon.

Last week the United States and the European Commission announced an “in principle,” high-level outline of a new Trans-Atlantic Data Privacy Framework to replace the old EU-U.S. Privacy Shield Framework.

This is potentially good news for companies who have been waiting nearly two years for a new legal basis by which U.S. companies can hold EU personal data. Unfortunately, we won’t see change for a long time.

An “in principle” welcome to an “in principle” agreement.
Everyone is waiting for the details, especially those of us who saw up close previous agreements invalidated twice.#PrivacyShield #DataTransfers #GlobalPrivacy https://t.co/5JiEcmBuBs
— Dr. Gabriela Zanfir-Fortuna (@gabrielazanfir) March 25, 2022

Background: How We Got Here

Here’s where we are in a nutshell: EU personal data can only flow to nations that have equivalent privacy protections for EU citizens. This was implicitly true even before the EU General Data Protection Regulations (GDPR) came along in 2018 but is strengthened with GDPR.

Originally there was an agreement called the U.S.-EU Safe Harbor Framework that provided a legal basis for U.S. companies to hold EU personal data. That was struck down in 2015 by a court case now called “Schrems I”, which ruled that U.S. intelligence practices did not confer any privacy protection to EU citizens against unwarranted spying and furthermore didn’t give EU citizens any means to redress privacy invasions. The lawsuit was brought in the days following the Snowden revelations that showed the U.S. was conducting wide-scale surveillance around the world, including on European allies.

A year later, in 2016, the U.S. and the EU agreed to a new framework allowing data to flow between countries, claiming to fix the issues with the original framework. This one was called the EU-U.S. Privacy Shield Framework and unsurprisingly, it was challenged almost immediately.

Will the Trans-Atlantic Data Privacy Framework be able to stand the test of time? It’s predecessor did not fare so well, nor the one before it. I’m sure privacy folks will be pouring all over it! https://t.co/BUyTvtkiVz
— Ann Cavoukian, Ph.D. (@AnnCavoukian) March 27, 2022

Four years later, the Court of Justice of the European Union ruled that the framework was invalid in a court case called “Schrems II”. So in July 2020, U.S. companies were once again left without a legal basis for holding EU personal data.

This time, things were even worse because the U.S. Congress had passed the CLOUD Act, which forces U.S. companies to produce data they hold even if that data is stored on servers inside Europe. Because of the CLOUD Act, it isn’t sufficient to simply keep the private data of EU citizens on servers housed in the EU.

Most companies have held out hope that a new framework would appear before a myriad of lawsuits against Google, Facebook, and others could play out. The first of these lawsuits have recently concluded, and products like Google Analytics are being ruled illegal in the EU in some forms.

Previous Privacy Shield framework took six months to finalize after the political agreement was reached. This time around we could be looking at an even longer wait time. https://t.co/vn0ySx15FO
— Milla Keller (@millakellr) March 28, 2022

What’s In The New Agreement?

This new Trans-Atlantic Data Privacy Framework agreement is a bare skeleton at this stage. Our summary is based on a document released by the White House and another document released by the EU. Here are the key aspects:

A new executive order will instruct U.S. intelligence agencies to only access the data on EU citizens if that access is “necessary and proportionate to protect national security.”
Under the order, U.S. agencies will adopt new unspecified procedures to ensure effective oversight of privacy inside intelligence agencies.
The order will create a redress system by which Europeans can make privacy complaints that will be investigated and resolved by a new “Data Protection Review Court” that will be staffed by people who are not a part of the U.S. government and therefore (purportedly) independent.

Ok, it's time to summarize the White House fact sheet on the announced Privacy Shield agreement*

*The agreement that we should probably draft and agree to a Privacy Shield replacement, not an agreement that actually establishes a new Privacy Shield.https://t.co/uRXOyA2mul
— Crypti-Calli (@Iwillleavenow) March 25, 2022

Other elements that were a part of the previous framework will return as well including requirements that companies protect the data they hold and the privacy of EU citizens.

These new elements are expressly designed to meet the concerns raised in the Schrems II court decision, but they still leave a lot of discretion to U.S. intelligence agencies. Notably, there are no penalties if privacy is breached.

Max Schrems, the lead litigant in the “Schrems I” and “Schrems II” cases, is already talking about challenging this new framework:

“We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

What Happens Next?

What we know for sure is that this new framework has a lot of hoops to go through even to go into effect. And hopefully, we’ll end up with an acronym we can all pronounce.

First, the high-level agreement in principle needs to be drafted into an actual legal agreement that both sides can agree to. Then the U.S. will need to issue the relevant Executive Order or Orders. Finally, the EU Commission will need to make an adequacy decision on whether this new agreement and the related orders are sufficient to protect the privacy rights of EU citizens. But that decision is typically political in nature and not judicial.

If all goes as expected and the new agreement is declared adequate, then it will immediately be challenged in court. We’ve seen this before. Twice.

Welcome back to Groundhog Day.

Bill Murray Groundhog GIF - Find & Share on GIPHY

Will It Survive A “Schrems III” Challenge?

We don’t know, but here are the things we’ll watch for:

The actual fine print once this is converted into legalese and whether the executive order has real teeth.
Any new leaks that reveal U.S. intelligence overreach or mass surveillance.
The whims of future U.S. Presidents who could undermine the Executive Order with new orders. For example, an order to “do whatever it takes within the law to achieve goal X” could be at odds with an executive order to preserve privacy. Executive Orders are not laws and are more readily changeable.
The anticipated Schrems III lawsuit and the outcome from the European Union Court of Justice, who have thus far sided with Max Schrems.

Meme showing Will Smith slapping Chris Rock with Will labeled as Max Schrems and Chris labeled as the new framework

Charting A Path Forward

The good news is that we are back on a path to providing U.S. companies with a legal basis for holding EU personal data without special technical measures. As recently as last week, it wasn’t certain we’d even get this far. But there’s a process that still needs to play out and history suggests that this might be a bandaid that simply doesn’t stick. And it’s a bandaid that has not yet even been applied – it’s only getting waved in the air.

But U.S. companies don’t need to wait another two or more years to see where things settle. They can act now to make the whole thing a moot point. There are technical measures like bring your own keys (BYOK) and application-layer encryption (ALE) that ensure the privacy of EU personal data and protect against government overreach without making data inaccessible to legitimate law enforcement actions. Companies can implement these measures without sacrificing functionality for their customers.

It’s a double-benefit that the systems that would better protect the privacy of end-users also bring far better security to the data they hold. Threats from hackers who compromise networks, from malicious and curious administrators, and from software vulnerabilities are all reduced with effective application-layer encryption.

Companies who implement these measures will be ready to absorb the ups and downs of privacy rulings, and it’s far less likely that they’ll be targeted by lawsuits. With the uncertainty that surrounds global privacy laws, the prudent course is to design private systems.