New Trans-Atlantic Data Privacy Framework between the EU and USA
New Trans-Atlantic Data Privacy Framework between the EU and USA
After of a year of negociations, the EU and the USA have come to an agreement through the Trans-Atlantic Framework of Data Privacy, that has come to replace the Privacy Shield.
Last 25th of March of 2022, during a joined press conference of the European Comission, Úrsula Von der Leyen and the president of the United States, Joe Biden, have made public their compromise for setting a new Transatlantic Framework for Data Privacy, that will promote the tran-satlantic data flows and will in turn tackle the concerns expressed by the Court of Justice of the European Union when it dictated sentence on 16th July 2020, in the case of Data Protection Commissioner vs Facebook Ireland Ltd and Maximillian Schrems (C-311/18), also known as Schrems II.
Let us rememeber that in said sentence, the Court of justice of the European Union declared the non-validity of the decision on the adecuation regarding the Privacy Shield and on the other hand the Court legitimized tranfers under the Standard Contractual Clauses approved by the European Comission. This sentence had a special impact on data tranfers from the European Union member states to countries outside the community block, among which we may find the United States.
The precedent circumstances that led to said decision were the European Union having a horizontal regulatory system through which many regulations regarding personal data privacy were approved, reaching all activities and industries. Just as an example there is the Regulation 95/46 and its successor afterwards the General Data Protection Regulation (GDPR).
This community regulation comprises restrictions to international data transfers to countries that do not have what could be considered as an adequate regulation, and that is the case of the United States, since they have no federal regulations regarding personal data protection, they only have some sector regulations that deal with that in some States such as the case of California where they have adopted their own regulation in regards to personal data protection.
The new framework will promote Trans-Atlantic data flows and in turn tackle the concerns exposed by the Court of Justice of the European Union
That way, this lack of federal regulations by the United States has been the reason why both parties had to renegotiate data transfer agreements such as the so called Safe Harbor or the one mentioned previously, the Privacy Shield.
But in this case Schrems II, the activist and attorney Maximilian Scherems sued Facebook Ireland indicating that this platform violated his privacy and data protection rights since they were transferred to the company's servers located in the United States and there they might be subject to an statal control by the government investigation agencies such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), therefore the rights of the European data owners could be affected.
Companies and organizations that wish to comply with it will still be responsible for complying with the Principles of the Privacy Shield, including the certification of this compliance through the Commerce Department of the United States
However, after briefly explaining the background in the relationship between the United States and the European Union regarding personal data protection and their transfer between them. The new Trans-Atlantic Framework of Data Privacy will have the goal of setting a law system for personal data transfer between the United States and the European Union, so according to the statement of the White House FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House.
This judicial system will have the following goals:
- Reinforcing privacy guarantees and civil liberties that rule the signals intelligence activities of the United States.
- Establishing a new system for repairing with independent and binding authority.
- Improve the current rigurous and stratified supervision of the signals intelligence activities.
What does this new judicial system guarantee?
- The compilation of signals intelligence can only be carried out whenever necessary to advance in the legitimate objectives of national security, and it must not have a disproportionate impact on the protection of individual privacy and civil freedom of citizens.
- European Union citizens whose data are transferred and are processed in the United States, they may resort to a new system of resource of several levels that will include a Court of Revision of Data Protection, an independent body, made up by people chosen out of the Government of the United States, which will have full authority to solve claims and direct the repairing measures that will be necessary.
- Intelligence government agencies such as NSA and FBI will adopt likewise procedures that guarantee the effective supervision of new privacy and civil liberties regulations.
The Government of the United States in its statement has indicated that companies and organizations who wish to comply with it will still be obligated to stick to the Principles of the Privacy Shield, including the certification of this compliance through the Department of Commerce of the United States
As for the requirements to comply with this juditial system, the Government of the United States in their statement has indicated that companies and organizations that wish to comply will still be obligated to comply with the Principles of the Privacy Shield, including the certification of this compliance through the Department of Commerce of the United States. That way the citizens of the European Union, will keep on having different ways to plan your complains, even through the alternative resolution of conflicts and binding arbitration.
Now the only thing left is waiting for both parties to develop this common regulation for personal data transfer between the United States and the European Union. Up to now we have seen the first criticism against it, such as for example that of the popular activist and attorney Maximilian Scherems which we mentioned at the very beginning, he has indicated that this new regulation will fail like the previous ones.
On the other hand, technology companies have celebrated the news of this regulation, since most of the technology giants transfer personal data to their United States servers. Let us remember that last February, Meta (old Facebook) threatened with shutting down most of its services in the European Union, if they were not allowed to manage user data as they had previously done with the Privacy Shield, and it is that the data transfer between both parties supports a cross-border commerce of more than a billion dollars each year.
