After the Court of Justice of the European Union (“ECJ”) invalidated the EU-U.S. Privacy Shield framework in 2020 under the know Schrems II decision, the European Commission and the United States announced they have reached an agreement in principle for a new Trans-Atlantic Data Privacy framework (“EU-US Trans-Atlantic Framework”).
This EU-US Trans-Atlantic Framework will foster trans-Atlantic data flows and will reestablish an important legal mechanism for transfers of personal data to the United States.
Although the EU-US Trans-Atlantic Framework is not yet ratified, and the parties did not yet publish any legal documents alongside the announcement, the principals will continue to rely on the “old” Privacy Shield principles, which includes transparency, purpose limitation, individual rights, and accountability. The EU-US Trans-Atlantic Framework will continue to operate based on companies’ voluntary self-certification to such principles.
The declared key principals of the EU-US Trans-Atlantic Framework includes the following:
- Personal data will be able to flow freely and safely between the EU and participating U.S. companies;
- A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security. The new EU-US Trans-Atlantic Framework marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities, including establishing a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.
- Strong obligations for companies processing data transferred from the EU (self-certification);
- Specific monitoring and review mechanisms will be established. EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed;
- Adequate protection of Europeans’ data transferred to the US, addressing the ruling of the European Court of Justice (Schrems II).
We will closely monitor developments regarding this new EU-US Trans-Atlantic Framework to further advise our clients how to comply and ensure a lawful data transfer.
For more information we will be happy to assist.
APM Privacy and Cyber Team.