EU/USA: Trans-Atlan­tic Data Pri­va­cy Frame­work (TADPF) – new wine in old bottles?

What was initi­al­ly infer­red from various media reports has been con­firm­ed by the USA and the EU. From the White Hou­se Facts­heet:

The United Sta­tes and the Euro­pean Com­mis­si­on have com­mit­ted to a new Trans-Atlan­tic Data Pri­va­cy Frame­work, which will foster trans-Atlan­tic data flows and address the con­cerns rai­sed by the Court of Justi­ce of the Euro­pean Uni­on when it struck down in 2020 the Commission’s ade­qua­cy decis­i­on under­ly­ing the EU‑U.S. Pri­va­cy Shield framework.

A shorter facts­heet has also published the EU Com­mis­si­on.

Not much is known about the con­tent, inclu­ding a draft of the text, which as far as is known is not yet available but is to be work­ed out by the U.S. govern­ment and the EU Com­mis­si­on. The fina­lizati­on of the text will appar­ent­ly be done by an Exe­cu­ti­ve Order of the U.S. govern­ment and a cor­re­spon­ding ade­qua­cy decis­i­on of the Commission.

The fact sheets remain vague. That of the USA, howe­ver, at least sta­tes the following:

Under the Trans-Atlan­tic Data Pri­va­cy Frame­work, the United Sta­tes has made unpre­ce­den­ted com­mit­ments to:

  • streng­then the pri­va­cy and civil liber­ties safe­guards gover­ning U.S. signals intel­li­gence activities;
  • Estab­lish a new redress mecha­nism with inde­pen­dent and bin­ding aut­ho­ri­ty; and
  • Enhan­ce its exi­sting rigo­rous and laye­red over­sight of signals intel­li­gence activities.

For exam­p­le, the new Frame­work ensu­res that:

  • Signals intel­li­gence coll­ec­tion may be under­ta­ken only whe­re neces­sa­ry to advan­ce legi­ti­ma­te natio­nal secu­ri­ty objec­ti­ves, and must not dis­pro­por­tio­na­te­ly impact the pro­tec­tion of indi­vi­du­al pri­va­cy and civil liberties;
  • EU indi­vi­du­als may seek redress from a new mul­ti-lay­er redress mecha­nism that inclu­des an inde­pen­dent Data Pro­tec­tion Review Court that would con­sist of indi­vi­du­als cho­sen from out­side the U.S. Govern­ment who would have full aut­ho­ri­ty to adju­di­ca­te claims and direct reme­di­al mea­su­res as nee­ded; and
  • U.S. intel­li­gence agen­ci­es will adopt pro­ce­du­res to ensu­re effec­ti­ve over­sight of new pri­va­cy and civil liber­ties standards.

As far as can be seen, it is not a que­sti­on of chan­ging the U.S. legal basis or exi­sting exe­cu­ti­ve orders, but of a more data pro­tec­tion-fri­end­ly approach.

noyb, the NGO from Schrems, has – unsur­pri­sin­gly – a cri­ti­cal state­ment published (“lip­stick on a pig”) and held out the pro­s­pect of sub­jec­ting Pri­va­cy Shield 2.0 to judi­cial review.




Rela­ted articles