On 25 March, US President Joe Biden and European Commission President Ursula von der Leyen announced that, after a year of negotiations, the US and EU had reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework (the Framework) to facilitate the free-flow of data from the EU to the US. The Framework will replace the US Privacy Shield that was invalidated in the 2020 Schrems II case.
What has been agreed?
The proposed Framework would effectively amount to a new partial adequacy decision. Although we do not yet have any detail on the proposals, the joint US-EU statement sets out some of the Framework’s key protections, in particular those aimed at addressing the concerns identified in the Schrems II case, such as:
- new rules and binding safeguards for US intelligence authorities, limiting their access to data to what is necessary and proportionate in relation to defined national security objectives and adding new ‘rigorous and layered oversight’ of intelligence activities to ensure compliance with limitations; and
- the establishment of a new two-tier independent redress mechanism for complaints by EU data subjects in relation to data access by US intelligence authorities, including a ‘Data Protection Review Court’.
What happens next?
The parties now need to finalise the details of the various safeguards and mechanisms outlined. If all goes to plan, the US commitments will be put in place via an executive order from US President Joe Biden and the European Commission will then issue a partial adequacy decision for the US. It is anticipated that US organisations that want to benefit from the adequacy decision will need to sign-up to the Framework via the US Department of Commerce and self-certify their compliance, as they did previously in relation to the pre-Schrems II Privacy Shield.
What steps should organisations take now?
The new Framework is not yet in place so organisations transferring data from the EU to the US still need to rely on the SCCs for now and need to carry out the related transfer impact assessments.
What about the UK?
The proposed Framework does not cover transfers from the UK to the US. However, we know the UK government has listed the US as one of its key priority territories for adequacy and, last week, it acknowledged that its negotiations with the US are ‘progressing well’. But until we hear anything further, organisations transferring data from the UK to the US will need to continue to use the existing mechanisms and follow current guidance from the ICO.
What impact will this have?
The success of the Framework will in part depend on how many US organisations sign up to it, and it is not yet clear how quick or easy the process will be to sign up. In addition, Max Schrems’ campaign group NOYB has said it anticipates bringing a legal challenge against the Framework, so further uncertainty may yet beckon for transatlantic transfers.
Despite this uncertainty, the announcement suggests that there is light at the end of the tunnel for the many organisations who are struggling with their transatlantic data flows, and so will be welcomed by many.