The European Commission and the United States have announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. While the details and timing of the framework, which will facilitate the cross-border transfer of personal data, are yet to be confirmed, the announcement has been widely welcomed by the industry, including the likes of big Cloud players such as Google and Microsoft.
American tech companies, particularly Google and Facebook, have been in the eye of storm in Europe as they have been constantly pulled up for violating privacy norms. In its annual filing to the SEC (US Securities and Exchange Commission), Meta, aka Facebook, held that “if a new transatlantic data transfer framework is not adopted, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe”.
The new Trans Atlantic Data Privacy Framework would replace the prior Privacy Shield that was invalidated by the Court of Justice of the European Union (CJEU) in 2020 over concerns related to intelligence collection and surveillance practices by the United States, after a successful campaign by privacy activist Max Schrems.
Since the ruling, data flows between the EU and US have continued using standard contractual clauses (SCCs), which apply more stringent controls on how information is processed. Transfers of data are critical to the trans-Atlantic economic relationship, and more data flows between the United States and Europe than anywhere else in the world, enabling the USD 7.1 trillion U.S.-EU economic relationship.
Meanwhile, even as the details on the new agreement are yet to emerge, Schrems has already voiced his concerns, warning that “we expect this to be back at the Court within months from a final decision”. As part of his initial statement, Schrems noted that it was “especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter”.
Seems we do another #PrivacyShield especially in one respect: Poltics over law and fundamental rights.
— Max Schrems 🇪🇺 (@maxschrems) March 25, 2022
This failed twice before. What we hear is another “patchwork” approach but no substantial reform on the US side. Let’s wait for a text, but my frist bet is it will fail again. https://t.co/y6RFUyB8eG
What does the new framework entail?
According to the European Commission, the new Trans Atlantic Data Privacy Framework marks an “unprecedented commitments” on the US side with respect to privacy and surveillance, including. And, the “new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives” and “a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities”.
ALSO READ: Rise of Cybernetic Culture to Create Dislocation, Distrust: George Friedman
The CJEU had struck down two previous versions of the data transfer agreement, including what is popularly known as the Schrems II decision in 2020.
Under the new Framework, a White House factsheet maintained, the United States has made commitments to:
- Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
In the Schrems II decision, the CJEU had concluded that the Privacy Shield was not compatible with Europe’s General Data Protection Regulations (GDPR) as the US did not provide for “an essentially equivalent, and therefore sufficient, level of protection as guaranteed by the GDPR and the CFR”. Also, the legal bases of US surveillance programmes such as PRISM and UPSTREAM were not limited to “what was strictly necessary and would be considered a disproportionate interference with the rights to protection of data and privacy”.
While we wait to see the details of the new framework and whether we are heading for a possible Schrems IIIscenario, what is clear is that the success or failure of the forthcoming Privacy Shield 2.0 will largely be dependent on how businesses transferring personal data across the Atlantic conduct themselves.
While data protection and privacy have long been an ongoing concern, they have heightened in recent times since the pandemic managed to accelerate the ongoing digital transformation many times over. With the increase in cloud usage, both businesses and governments now need to address the increasing public distrust with best practices and legislations.
ALSO READ: Why geospatial data and cloud storage are inseparable in modern tech?
