Now that a new Trans-Atlantic Data Privacy Framework has been announced, it’s a good time to orient ourselves. This is a critical milestone, but it is not the end of the journey.
First, it’s important to ask, where are we now? An “agreement in principle” has been reached, but more vital work remains to be done. We described how one goes from an “agreement in principle” to a final adequacy decision in Beyond Schrems II: What Happens After EU and US Officials Conclude Negotiations for Privacy Shield 2.0 (February 2022).
There are several important steps, the first of which is for U.S. team is to translate the agreement into legal text. As is made clear in the EU-U.S. joint announcement, “U.S. commitments will be included in an Executive Order that will form the basis of the Commission’s assessment in its future adequacy decision.” In Protect Privacy. That’s an Order (April 2021), we explained how an executive order can have the force of law and is the expected way in which the U.S. acts to direct—and constrain—the activities of its intelligence agencies.
Once that order is issued, the European Commission will need to prepare its adequacy decision. As we noted in Beyond Schrems II:
Given the expectation that the future EU-US adequacy decision will once again come before the CJEU, it is reasonable to assume that the EC will go to considerable lengths to make its decision as comprehensive as possible. By way of comparison, the EC’s adequacy decision for the UK ran 93 pages, while that for South Korea ran 122 pages.
Another important step is for the European Data Protection Board to issue an advisory opinion, as it has done with prior adequacy decisions (we include links to all adequacy decisions in the PAB Resource Guide, and have links to the EDPB opinions for the UK, South Korea and Japan decisions).
Assuming the adequacy decision successfully completes the process and becomes final, EU law requires that it be honored by EU data protection officers and national courts. We explained this in Challenging the New Privacy Shield Framework: All Paths Lead to the CJEU (March 2022), in which we also laid out the path a formal challenge to an adequacy decision must take.
Without seeing the details of the Trans-Atlantic Data Privacy Framework, it is impossible to predict how the Court of Justice of the European Union (CJEU) will rule. However, we do know that in the Schrems II case, the Court focused in large part on whether the U.S. legal framework provides adequate redress.
In Redress: What is the problem? (September 2021) we laid out the boundaries under the U.S. Constitution within which a U.S. redress mechanism must be developed if it is to address EU requirements relating to the independence of the redress body and its ability to issue binding directives. We further explored potential avenues for independence in FTC as a Model for Independence? (March 2022) and Are Inferior Officers a Superior Solution to the EU Independence Challenge? (March 2022).
In the Articles and Papers section of the PAB Resource Guide, we include important articles by other experts who have closely examined this issue, such as EU/US Adequacy Negotiations and the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers. By the way, the PAB Resource Guide links to key legal resources relevant to understanding the issues raised by the Schrems II case as well as to related issues on a global basis. It is a living guide; please let us know if there are other similar resources we should include.
What happens if there is yet another negative ruling? We are researching the impact that Schrems II and related developments could have on cross-border data flows. For example, we recently reviewed recent SEC filings in Is the Schrems II ruling one of the “most significant risks” facing U.S. companies? (March 2022).
We are also examining to what extent a non-U.S. company can claim to be “Schrems-proof” because it is based outside the country. In When Can a U.S. Court Exercise Jurisdiction Over a Non-U.S. Company? (February 2022) we published the initial findings of this work, explaining that if a company has certain “minimum contacts” with the U.S., it will be within the reach of U.S. courts.
Finally, in We Are, in Essence, the Same (March 2022), we reflected on what Russia’s invasion of Ukraine tells us about the future of transatlantic data flows.
The EU and U.S. team have accomplished a great deal, but vital work lies ahead. We look forward to analyzing the executive order and the draft adequacy decision once they are issued. We are researching key issues, such as whether and how one might expect a subject of surveillance to be notified of the surveillance, and what the concept of “essential equivalence” has meant in practice. In addition, we will be looking closely at the jurisprudence of the CJEU for clues on how it might analyze the Trans-Atlantic Data Privacy Framework. We will also be expanding our research beyond the transatlantic relationship, to cover other areas of the world.
We launched Privacy Across Borders (PAB) in January 2022 to discuss the critical issues at the intersection of privacy, national security, and cross-border data flows, and we look forward to continuing the journey toward a sustainable framework that enables global data flows in a manner that protects both national security and individual privacy.
If you have any questions or feedback, please reach out to us at firstname.lastname@example.org. We would love to hear from you!