EU and U.S. Reach Agreement in Principle on New Data Privacy Framework for EU-U.S. Data Transfers
Privacy In Focus®
The European Union (EU) and United States have reached a “deal in principle” to establish a new Trans-Atlantic Data Privacy Framework (Framework), which is meant to foster the exchange of data between the EU and U.S. This new Framework would take the place of Privacy Shield, which was invalidated by the Court of Justice for the European Union (CJEU) in the Schrems II decision issued in July 2020. The details of the new Framework have not been released to the public yet, although the White House has provided a fact sheet that sets out the key parameters. Below, we provide background on cross-border data transfer issues between the EU and the U.S. following the Schrems II decision; highlight the key elements of the new Framework that have been released; and outline the next steps that companies navigating these cross-border data transfer issues should be aware of.
Cross-Border Transfers in the Wake of Schrems II
The Schrems II decision invalidating the Privacy Shield framework for EU-U.S. data transfers held that Privacy Shield was not valid under the General Data Protection Regulation (GDPR) because it did not provide an “adequate level” of privacy protection. Specifically, the Court determined that Privacy Shield was insufficient to protect against U.S. national security surveillance and did not provide EU individuals sufficient recourse to protect their personal data.
Subsequently, in December 2020, the European Data Protection Board (EDPB) adopted recommendations on supplemental transfer tools to ensure that data transfers between the EU and U.S. provided the required level of protection. The EDPB has since provided further guidance on data transfers, including by clarifying what constitutes a “transfer” and updating the Standard Contractual Clauses (SCCs) for data transfers.
The New Framework Will Offer Another Option for EU-to-U.S. Personal Data Transfers
In addition to other legal mechanisms – like SCCs – for cross-border data transfers, the White House Fact Sheet about the new Framework explains that it “will reestablish an important legal mechanism for transfers of EU personal data to the United States.” While the details have not been released, the White House Fact Sheet explains that the new Framework will address the concerns about intelligence activities raised in the Schrems II decision, among other things. Indeed, the Fact Sheet explains that the U.S. has committed to:
- “Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities”;
- “Establish a new redress mechanism with independent and binding authority”; and
- “Enhance its existing rigorous and layered oversight of signals intelligence activities.”
Importantly, the Fact Sheet explains that businesses that adopt the Framework will still be required to adhere to the Privacy Shield principles, which will continue to be enforced through the U.S. Department of Commerce.
Next Steps
As always, the devil will be in the details. This agreement in principle is an important step forward. However, until the Framework is finalized and made, businesses cannot fully assess whether the Framework will provide a viable option for data transfers from the EU to the U.S.
Regarding process, the Fact Sheet explains that “[t]he teams of the U.S. government and the European Commission will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework. For that purpose, these U.S. commitments will be included in an Executive Order that will form the basis of the Commission’s assessment in its future adequacy decision.”
Regarding timing, at a recent privacy conference, European Commissioner of Justice Didier Reynders explained that: “It is difficult to give a precise timeline at this stage, but we expect that this process could be finalized by the end of this year.”
***
Wiley’s Privacy, Cyber & Data Governance Practice advises on GDPR compliance and domestic and international data transfer obligations. We will continue to monitor for developments as the EU and U.S. develop the new Framework. Please contact any of the authors for further information.
© 2022 Wiley Rein LLP