The GDPR Emerges

So far, this series has explored new and inevitable legal challenges to the European Union-U.S. Data Privacy Framework (EU-U.S. DPF); how the agreement operates; and the legal issues that doomed its predecessor, the Safe Harbor Framework. This final post will further explore the history behind the EU-U.S. DPF.

The EU harmonized data privacy laws throughout the union by repealing the Data Protection Directive (Directive 95/46/EC) and enacting the General Data Protection Regulation (GDPR). The GDPR builds upon previously established data privacy protection principles to provide various options for the legal transfer of EU data across its borders. One of those options is for a third country to obtain an “adequacy decision” from the European Commission (EC). If this decision is not obtained (the situation the United States faced before the EU-U.S. DPF), personal data may only be transferred across EU borders if “appropriate safeguards” are provided, conditioned on “enforceable data subject rights” and “effective legal remedies.” The GDPR’s appropriate safeguards include standard contractual clauses (SCCs), binding corporate rules (BCRs) and derogations.  

• SCCs are boilerplate terms inserted into contracts to ensure appropriate data protection safeguards for data transfers from the EU to a third country. SCCs are preapproved by the EC. While the Court of Justice of the European Union (CJEU) upheld the use of SCCs for international data transfer, it noted that an SCC’s legality would depend on the facts and circumstances of each individual transfer—including the likelihood that foreign intelligence agencies may access those transfers. The CJEU’s comments on SCCs created a legal limbo regarding whether SCCs used in EU-to-U.S. data transfer violate the GDPR.
• BCRs are internal data protection policies and procedures instituted by multinational companies established in the EU for intercompany transfers of personal data to a third country. Companies implementing BCRs must submit them for approval to the data protection authority jurisdiction in which they reside. The problem is that the BCR process is rigorous and time-consuming—not an attractive solution for many companies, since approval generally takes about 18 months. Further, similarly to SCCs’ legal limbo, the company would still have to account for foreign intelligence agencies accessing the data.
• Derogations are exemptions from the GDPR’s principle wherein an EU data subject’s personal data can be transferred to a third country only if that country provides adequate protection. However, derogations are not a viable long-term solution for businesses because they are meant for specific situations (e.g., journalistic reasons, national security, legal processing) rather than repeated data transfers.  

These safeguards—primarily SCCs—bridged the gap between EU-U.S. framework agreement collapses. However, they did not address the primary reasons for the framework’s failure: U.S. intelligence agencies’ unfettered access to EU data and a lack of redress mechanisms. Thus, American businesses transferring EU data to the United States could not rely on SCCs, BCRs or derogations as long-term solutions.  

Schrems II Invalidates the Privacy Shield Framework

The Safe Harbor agreement faced backlash from within the EU even before the Schrems I^[a] decision. This prompted the EC and the United States to renegotiate and find an adequate solution to EU cross-border data transfers to protect transatlantic commerce. That solution evolved into the Privacy Shield Framework, which—similar to the Safe Harbor Framework—allowed companies to self-certify. The agreement included robust data protection, redressability mechanisms and limits on U.S. intelligence agencies’ collection practices.

The Privacy Shield Framework incorporated then-President Barack Obama’s Presidential Policy Directive 28 (PPD-28), which offered assurance that U.S. intelligence surveillance practices would be reeled in. PPD-28 was President Obama’s attempt to quell criticism of U.S. intelligence agency surveillance. According to the Obama administration, PPD-28 addressed several mass surveillance concerns including principles governing electronic data collection, limiting bulk data collection, refining data collection processes and safeguarding personal information collected. Still, the CJEU did not believe PPD-28 adequately addressed the concerns highlighted in Schrems I.

In July 2020, the CJEU issued an opinion in Data Protection Commission v. Facebook Ireland, Max Schrems (Schrems II) that immediately invalidated the Privacy Shield Framework. The CJEU found that any data transferred from the EU to a third country should be guaranteed adequate protection “essentially equivalent” to EU law. Further, the CJEU criticized Obama’s PPD-28—included to meet the adequacy requirement for the Privacy Shield Framework—finding that it did not guarantee an adequate level of protection, only that “intelligence activities should be as tailored as feasible.” The CJEU identified four legal issues:

1. PPD-28 did not give EU data subjects whose data was collected the ability to sue the U.S. government or its agencies over that data collection in court.
2. U.S. intelligence agency surveillance activities permitted under EO 12333 are not subject to judicial oversight.
3. Executive Order 12333 and PPD-28 do not answer for the lack of redress guaranteed to EU citizens harmed by U.S. intelligence agency activities.
4. The Privacy Shield Framework did not indicate that the Federal Trade Commission could adopt a binding decision on U.S. intelligence agencies.

The CJEU’s invalidation of the Privacy Shield Framework once again left U.S. businesses in legal limbo on cross-border data transfers until the EU-U.S. DPF allowed data to flow again. As mentioned in more detail in the first post ^[b]of this series, the legal battle to disrupt the EU-U.S. DPF has begun—and if these efforts succeed, negative impacts on global trade flows could harm thousands of businesses that provide essential services like technology innovation, medical research and bank lending.  

This is part of the series Transatlantic Data Flow Chronicles: Unveiling Past and Current Data Diplomacy.