The United States and European Commission Announce a New Trans-Atlantic Data Privacy Framework

The United States ("U.S.") and the European Commission ("EU Commission") recently announced an “agreement in principle” to develop a new Trans-Atlantic Data Privacy Framework (“Framework”). The Framework is intended to re-establish a legal mechanism for transfers of EU personal data to the U.S. after the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield over concerns about the breadth of U.S. surveillance laws in its Data Protection Commission v. Facebook Ireland and Maximillian Schrems (“Schrems II”) judgment on July 16, 2020.

In a joint statement, U.S. President Joseph Biden and European Commission President Ursula von der Leyen emphasized the Framework's shared commitments to advance privacy, data protection, the rule of law and security. They noted that the new Framework would “enhance the previously invalidated Privacy Shield framework” to help small and large companies compete in the digital economy and support the continued flow of data underpinning more than $1 trillion in cross-border commerce annually.

Background

Following the invalidation of the EU-U.S. Privacy Shield in Schrems II, regulators scrambled to negotiate a new framework to enable companies to continue to transfer data to the U.S.

Now, after more than a year of negotiations between the U.S. and the EU, the U.S. committed to incorporating new safeguards to form a durable and reliable basis for the European Commission’s future adequacy decision regarding protections afforded to EU personal data transferred into the U.S. The joint announcement focused on trying to address several concerns highlighted by the Court in Schrems II by committing to several new data protection measures to be implemented by the U.S. intelligence community.

The Framework will build on the structure of the previously invalidated Privacy Shield framework and will focus on several key principles and actions. The Framework includes:

• The free and safe flow of data between the EU and participating U.S. companies.
• The enactment of rules and binding safeguards to limit access to data by U.S. intelligence authorities to only what is “necessary and proportionate” to advance defined national security objectives and without disproportionately impacting the protection of privacy and civil liberties.
• The creation of a two-tier redress system to investigate and resolve EU data subjects’ complaints regarding access of data by U.S. intelligence authorities including the creation of a Data Protection Review Court that would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as necessary. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints regarding participating companies, including options for alternative dispute resolution and binding arbitration.
• The obligation for companies processing data transferred from the EU to meet high standards including requirements to adhere to, and self-certify their adherence to, the Privacy Shield Principles under the oversight of the U.S. Department of Commerce.
• The encouragement of U.S. intelligence agencies to adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
• The development of specific monitoring and review mechanisms.

For now, many of the details are still unknown and the White House has indicated that additional information is forthcoming in an Executive Order and the adoption of legal documents to effectuate the new Framework in both the U.S. and the EU.

Initial Responses

Max Schrems, the lead litigant in Schrems II, issued a statement through his nonprofit organization, noyb (“None of Your Business”). Schrems stated that the announcement was solely “a political announcement” and that until there was a final text to review, the Framework could be months away from implementation. Additionally, Schrems indicated that he would review the text, when issued, closely and was “likely to challenge” it if deemed not to be in line with EU law. Noyb speculated that this may lead to “legal uncertainty for the time being.”

Key Takeaways

The new Framework includes “unprecedented” commitments by the U.S. to privacy, data protection and security with the goal of encouraging cross-border data flows. The U.S. will augment the previously invalidated Privacy Shield framework and strengthen its privacy and data protection activities. Together, the U.S. government and the European Commission will continue working to formalize their commitment to form the Trans-Atlantic Data Privacy Framework.

If you have questions about how the new Framework may impact your business operations, please contact a member of Orrick's Cyber, Privacy & Data Innovation team.