On March 25, 2022, the United States and the European Union jointly announced an “agreement in principle” to a new trans-Atlantic data privacy framework to facilitate the cross-border transfer of personal data (the “Framework”).1 As part of the Framework, the US has made “unprecedented commitments” related to intelligence collection and surveillance practices.2 The Framework would replace the prior Privacy Shield that was invalidated by the Court of Justice of the European Union ("CJEU") in 2020 over concerns about US surveillance.3 While the details of the Framework have not yet been released—it is being “translate[d] … into legal documents”4 —this Legal Update summarizes the main points of the announcement and provides background.
Toward a Freer Flow of Data
Although the legal decision invalidating Privacy Shield left in place other data transfer mechanisms—most notably, standard contractual clauses—the absence of a valid overarching framework for data transfers between the US and EU over the past two years had upended commerce and presented meaningful compliance challenges for both American and European businesses. The Biden administration noted that the free flow of data across the Atlantic contributes to “more than $1 trillion in cross-border commerce every year” and that “more data flows between the United States and Europe than anywhere else in the world.”5 US Secretary of Commerce Gina M. Raimondo noted that the Framework “reflects our shared recognition of the importance of trusted data flows, which are critical to our continued economic recovery following the COVID-19 pandemic, as well as our common commitment to the rule of law and data protection.”6
Commitments by the US
The Framework has been structured to address privacy concerns raised by the CJEU and privacy advocates in the EU. It includes significant new commitments by the United States with respect to privacy and surveillance, including, “new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives” and “a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”7
Specifically, the United States has agreed to:
- “Strengthen the privacy and civil liberties safeguards governing US signals intelligence activities”;
- “Establish a new redress mechanism with independent and binding authority”; and
- “Enhance its existing rigorous and layered oversight of signals intelligence activities.”8
The new redress mechanism will incorporate a “multi-layer[ed]” process and include an “independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed.”9
Companies seeking certification under the new framework will still be required to self-certify compliance with the Privacy Shield Principles through the US Department of Commerce.
The Biden administration has indicated that it plans to release an Executive Order “that will form the basis of the Commission’s assessment in its future adequacy decision.”10 However, as the US and EU continue to cooperate with the aim of translating the Framework into binding legal arrangements, some commentators have questioned whether the new commitments will be enforceable without domestic legislative action. Even without these details, prominent critics—including Max Schrems, the plaintiff in both the Schrems I and Schrems II cases, which resulted in the invalidation of the US-EU Safe Harbor Framework and the EU-US Privacy Shield, respectively—have indicated skepticism, and once the Framework is adopted, further legal challenges are expected.
We will provide further updates on the Trans-Atlantic Data Privacy Framework as details become available.
1 See Fact Sheet: United States and European Commission Announce Trans-Atlantic Data Privacy Framework (Mar. 25, 2022) (“Fact Sheet”); European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework (Mar. 25, 2022) (“Joint Statement”).
- Court of Justice strikes down the EU-US Privacy Shield but rules that the Standard Contractual Clauses can be a valid mechanism for transfers of personal data outside of the European Union (July 16, 2020)
- New EU standard contractual clauses adopted: 18 month deadline to reassess international transfers of personal data from Europe (June 4, 2021)
- Final EDPB Recommendations published on supplementary measures for international personal data transfers from Europe (June 21, 2021)
6 See Secretary Raimondo Statement on Announcement of Trans-Atlantic Data Privacy Framework (Mar. 25, 2022).