On March 25, 2022, the U.S. and EU announced that they reached a political agreement in principle on a new “Trans-Atlantic Data Privacy Framework” (the Framework). This would be the third framework for EU-U.S. personal data transfers, after the invalidation of the Privacy Shield in 2020 and of its predecessor, the Safe Harbor, in 2015. The new Framework is yet to be set out in legal documents, which will need to be negotiated and adopted. Timing for the adoption remains unclear.
The General Data Protection Regulation (GDPR) restricts how companies may transfer personal data outside the EU. One of the options is to rely on an adequacy decision adopted by the European Commission. Via such adequacy decision, the European Commission can determine that a non-EU country, or a legal framework within a non-EU country, provides an adequate level of protection. Personal data can then flow freely from the EU to organizations located in such country or subject to such legal framework.
So far, there have been two adequacy decisions that were relevant for data flows to the U.S., and both have been invalidated: i) the Safe Harbor framework (valid from 2000 till 2015) and the Privacy Shield framework (valid from 2016 till 2020). Both were invalidated by the Court of Justice of the European Union (CJEU) in the landmark cases Schrems I and Schrems II (see here). In both cases, the CJEU was mainly concerned about the potential broad disclosure of personal data to U.S. intelligence services, insufficient redress options for EU individuals and lack of independent oversight. Any new framework will need to address these concerns to pass muster with the CJEU.
Political Agreement on a New Framework for EU-U.S. Personal Data Transfers
According to the press releases issued by the White House (see here and related fact sheet here) and by the European Commission (see here), the new Framework “marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.”
In particular, the U.S. is to:
- Put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives;
- Establish a new two-level redress mechanism with independent and binding authority, including an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as needed; and
- Adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
It is expected that the U.S. commitments will be included in an Executive Order.
In addition, according to the official statements, participating organizations will need to adhere to certain privacy principles and self-certify their adherence through the U.S. Department of Commerce (similar to the self-certification mechanism under Safe Harbor and Privacy Shield).
The U.S. and the EU will now work on drafting the legal documents to be adopted on both sides. Timing for the adoption remains unclear. Some privacy NGOs have already announced that they will not hesitate to challenge the new framework before the CJEU.
Our privacy and cybersecurity practice routinely advises on EU data transfer restrictions and can help you tackle the challenges raised by this fast-moving area. For more information, please contact Cédric Burton, Laura De Boel, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.