Data Transfer to the US: Is Privacy Shield 2.0 in the Making?

The European Commission and the United States have announced a new data transfer mechanism, following the invalidation of Privacy Shield in July 2020.

Background

As data privacy experts may remember, in July 2020 the Privacy Shield data transfer mechanism (which applied to transfers of European data to accredited US companies) was invalidated following the ECJ decision in Schrems II.

The latest development

On March 25, 2022, the European Commission and the United States announced that they had reached an agreement in principle on a brand new Trans-Atlantic Data Privacy Framework.

Following a high-profile announcement, the joint statement said that the Framework would include:

  • A new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. Intelligence agencies will adopt procedures to ensure effective oversight.
  • A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
  • Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
  • Specific monitoring and review mechanisms.

The full text of the agreement is not yet available and there is some skepticism as to how this will address the issues of US intelligence surveillance that were raised in the Schrems II case.

What does this mean for businesses?

Once implemented, this new Framework will provide a lawful basis for the transfer of personal data from the EU to the US.

In order to be effective, this agreement now needs to be incorporated into legally binding documents. An executive order in the US will form the basis of a draft adequacy decision by the European Commission, which will then need to be formally adopted under GDPR. In practice, it may be some time before companies can rely upon this mechanism and it will be subject to challenge by Max Schrems (the privacy campaigner who was responsible for the case according to which Privacy Shield was invalidated).

This Framework would not apply to transfer of data from the UK to the US as it is no longer a member of the European Union.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.