On Friday, March 25th, the United States and European Commission issued a joint statement announcing their agreement in principle on a Trans-Atlantic Data Privacy Framework (the “Framework”). If finalized, the new framework would allow cross-border transfers of personal data from Europe to the United States.
This agreement is the culmination of over a year of negotiations between the U.S. and E.U. It comes after the previous trans-Atlantic data flow framework known as “Privacy Shield”—which was an arrangement allowing companies to share EU personal data to the U.S.—was invalidated by the European Court of Justice in July 2020 for lack of adequate privacy protections. Specifically, the court noted that Privacy Shield did not limit the access and use of personal data by U.S. authorities for surveillance purposes in line with EU principles of necessity and proportionality. The court also found that Privacy Shield did not provide data subjects adequate redress mechanisms for improper use of their data by U.S. intelligence agencies.
In a press statement, the White House outlined steps the United States will take under a new Framework (referred to by some as “Privacy Shield 2.0”) to ensure appropriate protection of EU personal data, including commitments to:
- Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
President Biden stated in a joint press statement that the new Framework underscores the EU/U.S. “shared commitment to privacy, to data protection, and to the rule of law” and that it will allow for “transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.”
This development in EU/U.S. data privacy cooperation is welcome news both for companies that routinely handle personal data flowing from the EU to the U.S., and EU citizens whose data is being transferred to the U.S. Under the Framework, participating U.S. companies will have the ability to more freely facilitate EU/U.S. data flows, and EU data subjects will be able to seek redress from a “multi-layer redress mechanism,” which includes an independent data protection review court consisting of individuals outside the U.S. Government, with full authority to handle claims and oversee remedial measures.
The Framework is still in its preliminary stages, with few details available at this initial phase. The goal, as outlined by the joint statement, is to “translate [the] arrangement into legal documents that will need to be adopted on both sides.” It will be interesting to see how this new Framework will differ from the previous Privacy Shield framework, and what measures will be implemented to accomplish the intended objectives. As the Framework continues to develop and more details are released, it is important for companies to be aware of its specific provisions, and to accurately assess how these might impact their business and the way they collect and store personal data from the E.U..
Contact Zasio to explore how our technology solutions and consulting services can help fulfill your data privacy and information governance needs.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Jared Walker, JD
Senior Research Analyst, Team Lead / Licensed Attorney