Establishing a common set of rules for regulating the flow of personal and commercial data between the EU and the U.S. has proved challenging. Perhaps surprisingly so. With the invalidation of the Privacy Shield in 2020, regulators on both sides of the Atlantic went back to the drawing board to design a new legal framework.
In today’s digitized and globalized world, data flows constitute the invisible backbone of our interconnected societies. It enables communication between citizens, makes daily cross-border trade possible, and underpins unprecedented levels of information exchange, supporting scientific and societal advancements.
But we should never talk about data flows without considering privacy. After all, the way in which data flows are – or aren’t – safeguarded, can either enable them, or erode our trust in them completely. Ideally, international data flows should be safeguarded by a mutual set of rules that determine the way in which the underlying data can be handled. That is to say; who it can be shared with, and to what end.
In the EU, this principle is the cornerstone of our comprehensive privacy legislation that regulates the protection and movement of personal data. Monumental achievements in this space, such as the The General Data Protection Regulation (GDPR), demonstrate that the question of how to best manage and legislate data flows is a difficult one – even when the parties involved are aligned.
This complexity is further exacerbated when applied to trans-Atlantic relations, where EU-U.S. data flows underpin more than $1 trillion in yearly cross-border commerce, and enables businesses of all sizes to operate in and across each other’s markets. With countless moving parts and only few pieces of mutually applicable legislation, there is a pressing need for a shared framework.
On 12 July 2016, an adequacy decision on the EU-U.S. Privacy Shield was adopted, following the annulment of the Safe Harbor Privacy Principle in what would come to be known as the Schrems I case – named after Austrian lawyer and privacy advocate, Max Schrems.
Adequacy decision:
The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection.
With the adoption of Privacy Shield, companies on both sides of the Atlantic could refer to specific data protection requirements outlined in the framework, when transferring personal data from the European Union to the United States.
4 years later, however, Privacy Shield was declared invalid by the European Court of Justice, when it overturned the previously established adequacy decision, finding the framework insufficient.
Thus, legal uncertainty has been hanging over EU-U.S. data flows for the better part of two years. This not only makes it difficult for small and medium-sized firms to conduct trans-Atlantic business - it can potentially jeopardize the collective trust in the reliability and safety of these data flows.
On 25 March 2022, after more than 12 months of negotiations, the European Commission and the U.S. announced a preliminary agreement on a new framework for trans-Atlantic data sharing.
The agreement, colloquially known as Privacy Shield 2.0, seeks to foster a durable and reliable legal framework for data flows that protects the rights of citizens, and enables a fair digital economy. All this, while addressing the concerns raised by the EU Court of Justice in the ruling that found the previous adequacy decision invalid.
One key point of contention in the now defunct Privacy Shield agreement, concerned the scope and legal applicability of U.S. surveillance activities. The Court of Justice had previously noted that the extent of US activities in this field were proportionally out of line with the EU data-privacy requirements; an element that contributed significantly to the Court's final decision.
With the new framework, the two parties are committed to ensuring that intelligence collection doesn't disproportionately impact civil liberties:
“Signals intelligence collection may only be undertaken where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties.”WHITE HOUSE FACT SHEET
Furthermore, the framework stipulates the need for an independent Data Protection Review Court in order to provide EU citizens with multiple avenues to resolve complaints related to data handling. The members of this court would solely consist of individuals from outside the U.S. Government.
With these new amendments in place, institutions on both sides of the Atlantic are now working hard to ensure the durability and efficacy of the legal structures that will underpin this preliminary agreement.
What remains essential through all this, is that the pursuit of efficiency never supersedes our commitment towards democratic principles. This is critical in paving the way towards a more secure and privacy-oriented data framework.
// Anne Marie Engtoft Meldgaard, Tech Ambassador of Denmark
