The U.S. and the European Commission (EC) took an important step towards a new data transfer framework as President Biden and EC President Ursula von der Leyen jointly announced on March 25 that an agreement in principle had been reached on a new framework for trans-Atlantic data flows.
According to both President Biden and the EC President, the new Trans-Atlantic Data Privacy Framework will enable predictable, trustworthy data flows between the EU and the U.S., balances security with the right to privacy, and underscores the shared commitment to privacy, data protection, and the rule of law. This will allow the European Commission to once again authorize trans-Atlantic data flows that facilitate $7.3 trillion in economic relationships with the EU, according to President Biden.
While not many details were provided about the new Trans-Atlantic Data Privacy Framework, the White House press release noted that “the United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
A multilayered redress mechanism for EU citizens to file complaints will be established, with a Data Protection Review Court containing non-U.S. government members with the authority to “adjudicate claims and direct remedial measures as needed,” as noted in the White House release. Procedures will be followed by U.S. intelligence agencies to “ensure effective oversight of new privacy and civil liberties standards.”
Lastly, the new Framework will incorporate the Privacy Shield Principles and continue the practice of self-certification. The next step for the U.S. is the incorporation of the U.S. commitments in an Executive Order.
This new framework comes after the Court of Justice of the European Union (CJEU)’s invalidation in 2020 of the Privacy Shield Framework that governed personal data transfers from Europe to the U.S. Since then, the U.S. Department of Commerce and the European Commission (EC) have been negotiating to develop a new Framework to replace Privacy Shield. The crux of the CJEU’s decision to invalidate Privacy Shield was its determination that the laws of the U.S. do not offer satisfactory protection against the surveillance of foreign citizens by U.S. governmental authorities such as intelligence (NSA) or security agencies (FBI).
Whether you or your client’s business is multinational or not, it’s likely that at some point information containing personal data will need to be transferred from Europe or Switzerland to the U.S. Personal data is defined broadly to include any information which is related to an identified or identifiable natural person. For instance, a U.S.-based online business which is collecting or processing names, addresses, and credit card information to fulfill orders for its products from European or Swiss persons must be familiar with the rules governing cross-border transfer. This new framework will play an integral role in how that transfer is done.
However, given the lawsuits that led to the invalidation of Privacy Shield and the earlier Safe Harbor Principles, it’s likely that the new Trans-Atlantic Data Privacy Framework will also be challenged, leading to a third CJEU decision.
Businesses are eager for certainty regarding cross-border data transfers. Companies such as Meta and Google have faced multiple complaints and unwelcome decisions from EU regulators. The Austrian data protection authorities recently found that Google Analytics does not comply with the GDPR, and the Irish Data Protection Commission has sent a preliminary revised decision to Meta regarding its transfer of user data to the U.S., with a response due from Meta in April. It remains to be seen whether the announcement of a new framework will affect these ongoing legal battles and how it will ultimately change data transfer between the U.S. and the EU.
|Goldsmith, Amy B. Partner and Chair of Privacy and Cybersecurity Group||Partner and Chair of Privacy and Cybersecurity Group||212.216.1135|