If you’ve been in the privacy business for long enough, you may recall when the Safe Harbor Framework permitted the free flow of personal data between the EU and the United States. Those halcyon days lasted from 2009 until 2015.
In 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Framework, ruling that the European Commission had not appropriately evaluated whether the United States maintains “essentially equivalent” protections of EU personal data.
In 2016, U.S. and EU officials announced the Privacy Shield, replacing the Safe Harbor Framework, with significantly stronger privacy protections, oversight mechanisms and redress options.
In 2020, the Privacy Shield went down as well. In its Schrems II decision, the CJEU determined, among other findings, that EU residents don’t have sufficient redress in the event of U.S. government surveillance under Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Zombie-like, however, the Privacy Shield may be making a comeback. On December 13, 2022, the European Commission released a draft adequacy decision for a “new new” EU-US Data Privacy Framework. It’s 134 pages long, so involved some serious cogitation.
The key question, of course, is: why should this new Framework survive the legal challenges that the old Framework didn’t? Already Max Schrems, the privacy advocate/gadfly, has made comments suggesting that a Schrems III case challenging the new Framework is in the works.
There’s reason to hope that third time’s a charm, and this new Framework will endure. The three most significant improvements over the Privacy Shield:
- Additional redress methods. The new Framework adds several new avenues by which EU residents can seek to get their privacy complaints resolved. Now the options include bringing a complaint (i) directly to the company involved; (ii) to an independent dispute resolution body; (iii) to an EU data protection authority, the U.S. Department of Commerce or the U.S. Federal Trade Commission; and (iv) to an arbitral panel (if the other avenues have been exhausted without resolution).
- Limitations on U.S. government access. The new Framework aims to rein in the ability of U.S. intelligence agencies to conduct surveillance involving access to EU personal data. While certainly far from satisfying Max Schrems’ call for a “no spy” agreement, the new Framework requires that surveillance activity be necessary for a “validated intelligence priority” and only be used when less intrusive methods aren’t feasible.
- Greater transparency. As described in U.S. Executive Order 14086, issued October 7, 2022, there will be an annual review of both the redress process and whether U.S. intelligence agencies have complied with the new limitations established by the Framework and EO 14086.
The next step is for the new Framework to undergo an EU approval process, which is expected to take six months or so. It’s not yet clear whether U.S. companies that have maintained their Privacy Shield certifications will be able to fast-track their certification under the new Framework, or whether all companies will need to apply for certification afresh.