On the sidelines of the European and global level meetings held in Brussels, the joint press conference of the President of the United States and the President of the EU Commission on March 25, 2022, broke the news that an agreement “in principle” had been reached between the parties on personal data flows. This is the political agreement preparatory to the legal-binding agreement that will replace the Privacy Shield, which was invalidated by the CJEU decision in the Schrems II case in July 2020.
In spite of the general satisfaction for the result achieved, which was particularly needed in order not to penalize commercial relations between the two sides of the Atlantic, even though it has not yet been possible to examine the document, there is still substantial skepticism regarding the adequacy of the new instrument – called “Trans-Atlantic Data Privacy Framework” – in resolving the shortcomings that led to the invalidation of the previous Privacy Shield. The solution to the problem lies in the ability to close that regulatory gap found between the two regulatory systems: in the U.S., law enforcement and national intelligence agencies are granted discretionary power to obtain access to personal data deemed useful for their own institutional purposes; on the other hand, the interested parties – as a potential counterbalance – are not recognized the exercise of rights to protect them (rights can be limited but not denied in toto) nor appeal to independent authorities to defend their rights and freedoms.
The real problem lies in the identification – on the side of the American jurisdiction – of a fair balance between the legitimate interests of national security and the protection of the rights and freedoms of the subjects to whom the personal data refer.
Anticipations of the political agreement
The political agreement or ‘agreement in principle’ refers to the subsequent legal agreement that will have binding force between the parties. On the Union side, the constraint stems from the Commission’s presumed attestation that the instrument of the future legal agreement constitutes an adequate guarantee that the ban on the transfer of personal data from the Union to the United States will be lifted. With this formal declaration, compliance with the conditions set out in the future legal agreement by the US company adhering to it will make the data flows between the European exporter and the US importer legitimate.
On the American side, the situation is more complex; the legal constraint is twofold and consists of:
- the legislative measure that determines the limits to the permitted restrictions and, above all, the safeguards offered to the data subjects
- the free and binding adhesion of the American company to the self-certification system – conceived along the lines of the previous Privacy Shield – through which it declares to respect the principles and rules contained therein.
The most sensitive point, and one on which the effectiveness of the future legal agreement will later be scrutinized, is the legislative measure by which the United States will guarantee the proportionality and necessity test and “the right to an effective remedy and an impartial judge.”
The assurances in the joint statement should be encouraging: «Under the Trans-Atlantic Data Privacy Framework, the United States is to put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives, establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.».
Although words carry weight, a certain skepticism remains because only the text of the future legal agreement will be able to settle doubts about its adequacy as a guarantee of protection of the rights and freedoms of data subjects and, in particular, definitively answer the questions of whether:
- the conditions laid down in it will be able to pass the proportionality and necessity test
- the “right to an effective remedy and to an impartial judge” will be truly recognized
- the envisaged Executive Order containing the aforementioned conditions will have legal qualifications such that it can be considered a “legislative measure” as required by the GDPR; if, for example, it will have innovative content capable of overcoming even the interpretative approach of the US Supreme Court which, most recently, with its decision of 4 March 2022 (FBI v. Fazaga), has made it more difficult to take legal action against alleged illegal espionage activities. In that decision, the Court ruled that Congress did not eliminate the state secrets privilege for espionage cases when it enacted surveillance reform in FISA (i.e., precisely one of the two U.S. regulations that, in its decision in Schrems II, the CJEU pointed to as an example of a violation of the proportionality and necessity test).
Only upon such legal agreement and subsequent declaration of adequacy possibly issued by the EU Commission, can the New Transatlantic Instrument be used to liberalize personal data flows between European exporters and U.S. importers.