On March 25, 2022, the EU Commission and US announced that an agreement in principle on a new framework for transatlantic data flows had been reached (see the Commission’s statement here, here, and here, and the US White House’s statement here). The Commission and the U.S. published draft factsheets outlining the agreement (see the Commission’s factsheet here and the U.S. factsheet here). This agreement will form the basis for an adequacy decision in the EU and an executive order in the US, which both parties will draft as a next step.
Today’s announcement follows lengthy negotiations that began shortly after the Court of Justice of the EU’s (“CJEU”) Schrems II judgment on July 16, 2020, which annulled the EU-US Privacy Shield (see our blog post here). There, the CJEU held that the US did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to US law enforcement and intelligence agencies to access data and an absence of effective legal remedies for EU residents.
According to the published factsheets, the US has made “unprecedented commitments” that build on the safeguards that were in place under the annulled Privacy Shield framework with the aim of addressing issues identified in the Schrems II decision. The new framework will:
- strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities through binding safeguards limiting U.S. intelligence authorities’ access to data to what is necessary and proportionate to protect U.S. national security;
- establish a new, multi-layered redress mechanism with independent and binding authority composed of individuals chosen from outside the U.S. Government who will have full authority to investigate and adjudicate claims, as well as impose remedial measures, as needed; and
- enhance the U.S.’ existing rigorous and layered oversight of signals intelligence activities.
Just as with the annulled Privacy Shield, U.S. companies will need to self-certify their adherence to the Privacy Shield 2.0 once it is released.
This is undoubtedly good news for industry, as such a framework will offer industry another option when transferring personal data from the EU, alongside EU contractual clauses and other means.. However, any new framework is certain to be pressure-tested before the EU courts, and at least one privacy advocacy group has, issued a statement challenging the legality of the agreement (see NOYB statement here).
The Covington team will keep monitoring any developments on the Privacy Shield 2.0 and continue to report on them on our blog Inside Privacy.