US and European Commission Announce New Transatlantic Data Privacy Framework | Orrick, Herrington & Sutcliffe LLP
The United States (“US”) and the European Commission (“European Commission”) recently announced an “agreement in principle” to develop a new transatlantic data privacy framework (“Framework”). The framework aims to restore a legal mechanism for transfers of personal data from the EU to the United States after the Court of Justice of the European Union (“CJEU”) invalidated the EU-State Privacy Shield States due to concerns about the scope of US surveillance laws. in his Data Protection Commission c. Facebook Ireland and Maximillian Schrems (“Schrem II”) stop on July 16, 2020.
In a joint statement, US President Joseph Biden and European Commission President Ursula von der Leyen highlighted the Framework’s shared commitments to advancing privacy, data protection, rule of law and security. They noted that the new framework would “enhance the previously invalidated Privacy Shield framework” to help businesses large and small compete in the digital economy and support the continuous flow of data that underpins more than 1 trillion dollars in cross-border trade every year.
Following the invalidation of the EU-US Privacy Shield in Schrem IIregulators rushed to negotiate a new framework allowing companies to continue transferring data to the United States
Today, after more than a year of negotiations between the United States and the EU, the United States has committed to incorporating new safeguards to provide a durable and reliable basis for the future adequacy decision of the European Commission regarding the protections afforded to EU personal data transferred to the United States. announcement focused on attempting to address several concerns highlighted by the Court in Schrem II committing to several new data protection measures to be implemented by the US intelligence community.
The framework will build on the structure of the previously invalidated Privacy Shield framework and will focus on several key principles and actions. The framework includes:
- The free and secure flow of data between the EU and participating US companies.
- The enactment of binding rules and safeguards to limit access to data by U.S. intelligence authorities to what is “necessary and proportionate” to advance defined national security objectives and without disproportionately affecting the protection of life privacy and civil liberties.
- The creation of a two-tier redress system to investigate and resolve complaints from EU data subjects regarding access to data by US intelligence authorities, including the creation of a Privacy Review Tribunal which would be comprised of select individuals outside of the US government who would have full authority to adjudicate claims and order necessary corrective action. EU citizens will continue to have access to multiple avenues of redress to resolve complaints about participating businesses, including alternative dispute resolution and binding arbitration options.
- The requirement for companies processing data transferred from the EU to meet high standards, including requirements to opt-in and self-certify their adherence to the Privacy Shield Principles under the oversight of the US Department of Commerce .
- Encouraging US intelligence agencies to adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
- The development of specific follow-up and review mechanisms.
At this time, many details are still unknown and the White House has indicated that additional information is forthcoming in an executive order and the passage of legal documents to implement the new framework in the United States and in the EU.
Max Schrems, the lead litigant in Schrem II, released a statement through his non-profit organization, noyb (“None of Your Business”). Schrems said the announcement was “a political announcement only” and that until there is final text to review, the framework could be months away from being implemented. Additionally, Schrems said he would carefully review the text, once published, and was “likely to challenge it” if it was found not to comply with EU law. Noyb speculated that this could lead to “legal uncertainty at the moment”.
Key points to remember
The new framework includes “unprecedented” U.S. privacy, data protection and security commitments to encourage cross-border data flows. The United States will expand the previously invalidated Privacy Shield Framework and strengthen its privacy and data protection activities. Together, the US government and the European Commission will continue to work to formalize their commitment to form the Transatlantic Data Privacy Framework.