• Please search to find attorneys
Close Btn



The White House Fully Unveils Privacy-Shield's Replacement: Overview And Next Steps

Although the European Union (EU) and the United States (U.S.) enjoy a close economic relationship, differences in the two jurisdictions’ approaches to data protections have necessitated the creation of several legal frameworks for transferring data between the EU and the U.S. In 2016, the EU-U.S. Privacy Shield entered into force, acting as one such legal mechanism for transfers. However, in July 2020, The European Court of Justice (ECJ) struck down the Privacy Shield framework for granting inadequate protections as required under EU law, making it difficult for businesses to make legal data transfers between the two jurisdictions; this decision has become known as Schrems II. The EU and U.S. began negotiating a replacement framework, which was preliminarily announced in March of 2022. Now, the White House has issued an Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, and thus fully unveiled the content of the new EU-U.S. Data Privacy Framework. Here’s what you need to know about this new framework and what comes next:

New Limitations on U.S. Intelligence

In Schrems II, the ECJ deemed the practices of U.S. intelligence to be particularly problematic for the Privacy Shield framework. Effectively, Privacy Shield did little to protect EU residents’ personal information from being collected and processed by U.S. intelligence agencies. Because Privacy Shield entities could not guarantee that U.S. intelligence would not collect EU resident information, the Privacy Shield framework was found to be inadequate. Under the new EU-U.S. Data Privacy Framework, U.S. intelligence agencies are to limit their activities concerning EU residents to what is “necessary” and “proportionate”.

New Redress for EU Residents

Under Privacy Shield, if an EU resident’s information was wrongfully collected by U.S. intelligence, the EU resident was granted no avenue for recourse. Under the new EU-US Data Privacy Framework, a wholly new two-tier redress process is to be established. At the first tier, the Director of National Intelligence’s Civil Liberties Protection Officer (CLPO) will receive and investigate EU residents’ claims of violations of the new EU-U.S. Data Privacy Framework. Following the CLPO’s investigation and any remedial action (or lack thereof), a claimant may apply for review from a newly-formed Data Protection Review Court. This “court”, although an administrative body not under the judicial branch, will be empowered to overrule the CLPO’s findings or remedial actions and compel intelligence agencies to adopt new or different practices.

What’s Next?

With the content of this new framework finalized, the European Commission will now begin assessing the framework’s adequacy. This requires that the European Commission draft an adequacy determination, the European Data Protection Board issues an opinion, EU member states grant approval, and the European College of Commissioners give final approval. However, some critics of the new framework assert that the U.S.’s definitions of “necessary” and “proportionate” are incompatible with the EU’s definitions, and the use of an administrative body (as opposed to a genuine judicial body) for redressing alleged violations may result in an eventual finding of inadequacy under EU law, similar to Privacy Shield’s fate. While it is possible that this new framework will be eventually struck down, it should be noted that the EU-U.S Data Privacy Framework has been designed specifically to address the ECJ’s core issues with Privacy Shield, as identified in Schrems II. Thus, the new framework may endure for many years to come.

Once the new framework is fully approved as required under EU law, U.S. entities will likely be able to self-certify as EU-U.S. Data Privacy Framework entities; the process to self-certify should be similar to the self-certification process as it existed under Privacy Shield. Once self-certification becomes possible, certified entities will largely be able to rely upon this new framework as opposed to the Standard Contractual Clauses (SCCs) and derogations provided under the General Data Protection Regulation (GDPR), which have become common business practices in the wake of Schrems II.

Do you have questions about how to prepare for this new data transfer mechanism? Reach out to a member of McGrath North’s Privacy and Cybersecurity Practice Group for guidance on the ever-changing landscape of data protections.