This article was co-authored by Joshua Curzon and Edward Le Gassick, trainee solicitors, London.
On 10 July 2023, the European Commission (EC) adopted an adequacy decision regarding the EU-US Data Privacy Framework (the Framework). The EC decided that the Framework offers an equivalent level of data protection to the EU GDPR. This affects participating US businesses, who will self-certify their compliance with a range of privacy principles outlined within the Framework. The decision provides a new mechanism for trans-Atlantic data flows from the EU to the US, placing a lesser burden on the exporter than alternative mechanisms, such as the Standard Contractual Clauses.
If this sounds familiar, it is because of its similarity to its predecessors, the failed ‘Safe Harbor’ and ‘Privacy Shield’ schemes. Both prior schemes were ultimately struck down by the Court of Justice of the European Union (CJEU) in decisions colloquially referred to as ‘Schrems I’ and ‘Schrems II’. The failure of both prior schemes rested heavily on the broad extent of surveillance by the US intelligence services of EU citizens without sufficient controls or judicial remedy - a situation which some critics argue has not materially changed.
Consequently, the end may already be in sight for the Framework, even as it has barely begun. European privacy organisation ‘NOYB’ immediately announced that it will challenge the Framework as soon as data is transferred under the scheme. Max Schrems, NYOB’s honorary chairman, has helpfully provided a timescale for this winter’s box office hit, ‘Schrems III’: “We currently expect this to be back at the (CJEU) by the beginning of next year.”
Any final decision from the CJEU is unlikely before the latter part of 2024 or early 2025, and those hoping for a settled situation for the foreseeable future may be sorely disappointed. As Schrems points out: “The (CJEU) could then even suspend the new deal while it is reviewing the substance of it.”
In Kennedys’ February 2023 ‘International cyber and data privacy insights’, we predicted that the unresolved issues around intelligence services processing would likely present a major stumbling block should the then draft Framework be challenged.
If the CJEU strikes down the Framework, it is likely to have consequences for the UK. The UK’s proposed ‘data bridge’ adequacy arrangement with the US is intended to be an extension of the Framework. It follows that if the Framework is struck down, a ‘data bridge’ agreement on the same principles between the UK and US could, if not abandoned, jeopardise the UK’s own adequacy decision. As any ‘data bridge’ is unlikely to take effect prior to 2024, there is a realistic possibility that any UK/US ‘data bridge’ will become ‘a bridge too far’ within a year.
We have previously discussed the present UK-US Data Access Agreement, which covers data transfers for law enforcement purposes. If the Framework is struck down, it remains to be seen whether the UK could continue to operate this agreement without calling its own adequacy into question.
Schrems is currently two for two in his battles with EU-US privacy schemes. Will he make it three from three? We are watching closely.
Related items: