After the "Wikileaks" scandal involving the United States -US- and the European Union -EU-, the transfer of data between the two parties was regulated by the Privacy Shield Agreement, which was signed as a solution after the invalidation of the Safe Harbor Agreement by the European Court of Justice ECJ, Court- in the Schrems I decision. However, in the Schrems II [1] decision, the ECJ annulled the EU-US Privacy Shield Agreement on the grounds that it did not provide adequate safeguards regarding data protection as required by EU law [2]. Following the Schrems II ruling, efforts to address the legal gap between the US and the EU were ongoing. On 25.03.2022, the first written announcement regarding this agreement was published [3]. The announcement stated:

• Within the framework of the 2020 ECJ ruling, concerns regarding the lack of adequate data protection measures would be addressed, and new work on the Trans-Atlantic Data Privacy Framework would promote transatlantic data flows.
• The agreement would ensure the continuation of data flows that enable cross-border trade worth over one trillion dollars annually and support the 7.1 trillion-dollar US-EU economic relationship, allowing businesses of all sizes to compete in each other's markets.
• Under this agreement, a significant legal mechanism was reinstated for the transfer of personal data from the EU to the US, with the US committing to implementing new measures to ensure that signal intelligence activities are necessary and proportionate in pursuit of defined national security objectives. The agreement includes new and higher standards for the protection of personal data for EU citizens.

Indeed, the US has made the following commitments:

• It will strengthen its approach to privacy and the protection of fundamental rights and freedoms while managing electronic intelligence activities,
• It will establish a new compensation mechanism with independent and binding authority,
• It will improve its existing rigorous and layered oversight of electronic intelligence activities.

For example, under the new agreement:

• Electronic intelligence collection can only be carried out when necessary to advance legitimate national security objectives and must not disproportionately affect individual privacy and fundamental rights and freedoms,
• For individuals located within the EU, an independent Data Protection Review Court, which will have full authority to resolve requests and, where necessary, take corrective measures, will be established,
• US intelligence agencies will adopt procedures to ensure the effective oversight of the new privacy and fundamental rights standards.

The US commitments will be included in an Executive Order that will form the basis for the European Commission's assessment of adequacy for future data transfers. Therefore, the commitments mentioned above will become binding in the US as well.

As a result, the regulation gap regarding data flows between the US and the EU is expected to be addressed again, and an important legal mechanism for transferring personal data from the EU to the US will be re-established. This agreement ensures the continuation of data flows that enable the US-EU economic relationship and allows businesses in both countries to compete in each other's markets again.

[1] For the Schrems II decision, see https://www.europarl.europa.eu/doceo/document/TA-9-2021-0256_EN.html, Accessed on: 04.04.2022.

[2] In the case at hand, Austrian Facebook user Maximilian Schrems, who had been using Facebook since 2008, applied to the Irish supervisory authority to prevent the transfer of his personal data to other Facebook entities in the US. However, his request was rejected. Subsequently, the relevant Irish supervisory authority referred the issue to the High Court, which then asked the European Court of Justice for a preliminary ruling. The ECJ stated that, in the case of data transfers to third countries, the same level of security must be ensured as provided by the GDPR within the EU. This assessment should take into account the contractual provisions between the sender and recipient of the data and the potential access by public authorities in the recipient countries. The ECJ ruled that in the absence of a valid Commission decision confirming adequate protection, supervisory authorities should delay or prohibit such transfers if they find that the standard data protection provisions are not followed. Upon reviewing the Privacy Shield Agreement, the ECJ found that the US administrative authorities’ access to personal data transferred from the EU to the US was compliant with US law but did not meet the GDPR requirements, resulting in the agreement’s invalidation. After the annulment, the ECJ noted that future data transfers between the EU and the US could be based on standard contractual clauses and both countries’ commitment to GDPR-level data protection.

Following this ruling, the US published a report on 28 September 2020, clarifying that intelligence data could be accessed based on Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). This section permits surveillance of foreign nationals outside the US. The report also indicated that access to data was already based on requests from EU member states and that the primary objective was to prevent international terrorism activities. For further details, see Pınar, Hamdi: The Commercial and Competition Law Aspects of New Business Models and Technologies in the Context of Digital Economy Law, Yetkin Publishing, Ankara 2021, pp. 158-160.

[3] For announcement details, see FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House, Accessed on: 05.04.2022.