New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision.

Third attempt of the European Commission to get a stable agreement on EU-US data transfers will be likely back at the Court of Justice (CJEU) in a matter of months. The allegedly “new” Trans-Atlantic Data Privacy Framework is largely a copy of the failed “Privacy Shield”. Despite the European Commission’s public relations efforts, there is little change in US law or the approach taken by the EU. The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights.

Comparison of the change in US law since 2014:
- “Old” PPD-28 (2014)
- “New” EO 14086, replacing PPD-28 (2022)
Comparison with previous public relation efforts:
European Commission Draft Adequacy Decision (December 2022)

Background. In 2013 Edward Snowden disclosed that the US government used “big tech” companies and programs like “PRISM” or “Upstream” under FISA 702 and EO 12.333 to spy on the rest of the world without the need for probable cause or judicial approval. This was not limited to crime or terrorism, but also included espionage on “partners” of the US. Since a 1995 EU law, personal data may generally not be sent outside of the EU unless there is a “essentially equivalent” protection in the destination country. The US industry heavily relied on a European Commission Decision called “Safe Harbor” that declared the US “essentially equivalent” in 2000. The CJEU has annulled the Commission Decision in C-362/14 (“Schrems I”) in 2015, given the vase US surveillance laws. In 2016 the European Commission has passed largely the same Decision on EU-US Data Transfers again, under the new name “Privacy Shield”, which was invalidated by the CJEU in C-311/18 (“Schrems II”) in 2020 largely on the same grounds.

Ursula’s and Joe’s “Magic” Tricks. After the annulment of the “Privacy Shield” the negotiations between the EU and the US saw little progress. The US insisted that EU data would stay subject to US mass surveillance and “non-US” persons will not have the same protections as US persons. After little movement for more than 1.5 years, the US has reportedly used the war in Ukraine to put pressure on the EU on sharing personal data. Soon thereafter, Joe Biden and Ursula von der Leyen met on 25 March 2022. The same day, the two have suddenly “solved” what the lawyers were unable to solve and presented an “agreement in principle“, a one pager which in essence contained two “tricks” that should calm the public: