A few weeks ago, the European Union (EU) and the United States (U.S.) announced a deal in principle on a deal that would resolve the uncertainty about trans-Atlantic data flows caused when the EU’s highest court struck down the previous deal. The outline of the deal resembled a proposal put forward by three data privacy experts based on their reading of EU and U.S. law in the context of current political realities in the Brussels and Washington, DC. Now, stakeholders are waiting for the text of the deal and the actions both governments have pledged to undertake to effectuate the new deal. However, it remains to be seen whether the EU’s highest court will bless the deal when it is inevitably challenged in a European court or whether there might be challenges in the U.S., Moreover, a recent legal decision in the U.S. might further complicate matters.
A bit of background would be helpful. In July 2020, the Court of Justice of the European Union (CJEU) struck down the Privacy Shield adequacy decision on the basis of the lack of equivalent legal protections and rights for EU residents in the U.S. in light of the latter’s surveillance programs under Executive Order 12333, Presidential Policy Directive 28, and Section 702 of the Foreign Intelligence Surveillance Act (FISA). Under the General Data Protection Regulation (GDPR), the easiest means for an entity to transfer the personal data of an EU resident to another country for processing is under an adequacy decision. This decision says that another nation’s data privacy laws and legal system provide an adequate level of protection equivalent to what is provided in the EU. The EU and U.S. pledged to negotiate a third deal that would allow data to flow, and this process has been ongoing for the better part of two years and two administrations in the EU and U.S.
Before we get into the agreement in principle, there is an important detour. In its decision, the CJEU hedged on whether the use of standard contractual clauses (SCC) to transfer personal data to the U.S. passed muster, which has led to follow on legal skirmishing between Maximillian Schrems, the person who challenged both Privacy Shield and its predecessor, Safe Harbor, and Ireland’s Data Protection Commission (DPC) over the legality of Facebook’s SCCs. This matter is ongoing, and an adverse decision against SCCs could complicate the new deal because, at present, most U.S. entities still transferring personal data out of the EU for processing are doing so through the use of SCCs. A decision objecting to SCCs with respect to the additional protection entities are supposed to provide for processing in the U.S. would be significant.