Meet The Long-Awaited EU-US Privacy Shield Replacement: The Trans-Atlantic Data Privacy Framework
On July 16, 2020, the European Union’s (EU) highest court, the Court of Justice of the European Union, struck down the EU-US Privacy Shield in a case known as Schrems II. The Privacy Shield was instrumental for many American companies, as the framework allowed for legal transfers of data between the U.S. and EU. Such a framework was necessary due to the strong data protections that exist in Europe, most notably the General Data Protection Regulation (GDPR). Under the Privacy Shield framework, American businesses would effectively promise to hold themselves to the same standards as European businesses in handling personal data of European residents, thus allowing free transfers of data between the jurisdictions.
The framework was found to be insufficient under EU law in the Schrems II case. The court highlighted several key issues with the framework; most critically, Privacy Shield did nothing to protect EU resident data from U.S. intelligence agencies. Additionally, if U.S. intelligence agencies violated an EU resident’s data privacy rights, the resident had no avenue for redress. U.S. and EU officials began negotiating a Privacy Shield successor, but American businesses were forced to rely on other methods to legally justify data transfers between the two jurisdictions. On March 25, 2022, the Privacy Shield’s replacement, the Trans-Atlantic Data Privacy Framework, was finally announced.
So, What’s Changed?
The announcement of the new framework was light on substantive details. Instead of providing an in-depth overview of the terms of the new deal, the announcement merely grants a sneak peek at what can be expected of the new framework. The entirety of the terms of the new framework will not be publicly available until the relevant legal documentation is drafted by the parties and disseminated. Until then, here are some changes that can be expected of the new framework:
- “A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security”
- “U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards”
- “A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court”
- “Specific monitoring and review mechanisms”
Is the Trans-Atlantic Data Privacy Framework Built to Last?
Although neither the EU nor the U.S. has provided much guidance on what the new rules, safeguards, procedures, and systems that will compromise the new framework will look like, the listed changes from Privacy Shield are aimed directly at the inadequacies of that prior framework. In Schrems II, the court placed particular attention on the fact that U.S. intelligence was unfettered in its ability to access European residents’ data and that there was no redress mechanism when such abuse would occur. Assuming that the new Trans-Atlantic Data Privacy Framework presents genuine restrictions on U.S. intelligence and the new redress system is one that will meet EU standards, the particular issues found with Privacy Shield outlined in Schrems II should be alleviated.
As part of the deal, the White House has promised to issue an Executive Order that will provide a more comprehensive outline of the legal obligations that will be placed upon Trans-Atlantic Data Privacy Framework entities and U.S. intelligence under the new framework. Following the issuance of such Executive Order, the European Commission will draft an adequacy decision that will enable the new framework to go into effect. However, the two jurisdictions have not provided a timeline for this implementation to occur. Until then, former Privacy Shield entities can look forward to a new legal framework that will make data transfers between the EU and U.S. much easier.
Reach out to McGrath North’s Privacy and Cybersecurity Team to talk through what steps your organization can take today to prepare for the future of the EU-US privacy landscape.