The United States ("U.S.") and the European Commission ("EU Commission") recently announced an “agreement in principle” to develop a new Trans-Atlantic Data Privacy Framework (“Framework”). The Framework is intended to re-establish a legal mechanism for transfers of EU personal data to the U.S. after the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield over concerns about the breadth of U.S. surveillance laws in its Data Protection Commission v. Facebook Ireland and Maximillian Schrems (“Schrems II”) judgment on July 16, 2020.
In a joint statement, U.S. President Joseph Biden and European Commission President Ursula von der Leyen emphasized the Framework's shared commitments to advance privacy, data protection, the rule of law and security. They noted that the new Framework would “enhance the previously invalidated Privacy Shield framework” to help small and large companies compete in the digital economy and support the continued flow of data underpinning more than $1 trillion in cross-border commerce annually.
Following the invalidation of the EU-U.S. Privacy Shield in Schrems II, regulators scrambled to negotiate a new framework to enable companies to continue to transfer data to the U.S.
Now, after more than a year of negotiations between the U.S. and the EU, the U.S. committed to incorporating new safeguards to form a durable and reliable basis for the European Commission’s future adequacy decision regarding protections afforded to EU personal data transferred into the U.S. The joint announcement focused on trying to address several concerns highlighted by the Court in Schrems II by committing to several new data protection measures to be implemented by the U.S. intelligence community.
For now, many of the details are still unknown and the White House has indicated that additional information is forthcoming in an Executive Order and the adoption of legal documents to effectuate the new Framework in both the U.S. and the EU.
Max Schrems, the lead litigant in Schrems II, issued a statement through his nonprofit organization, noyb (“None of Your Business”). Schrems stated that the announcement was solely “a political announcement” and that until there was a final text to review, the Framework could be months away from implementation. Additionally, Schrems indicated that he would review the text, when issued, closely and was “likely to challenge” it if deemed not to be in line with EU law. Noyb speculated that this may lead to “legal uncertainty for the time being.”
The new Framework includes “unprecedented” commitments by the U.S. to privacy, data protection and security with the goal of encouraging cross-border data flows. The U.S. will augment the previously invalidated Privacy Shield framework and strengthen its privacy and data protection activities. Together, the U.S. government and the European Commission will continue working to formalize their commitment to form the Trans-Atlantic Data Privacy Framework.
If you have questions about how the new Framework may impact your business operations, please contact a member of Orrick's Cyber, Privacy & Data Innovation team.