In late March, the United States and the European Union signed a new framework that will modify the Privacy Shield principles that had governed trans-Atlantic transfers of data by companies and organizations since 2016.
It’s important to note that the Framework is not a regulation. It sets out the principles that the EU and US will follow in subsequent implementing regulations, a process that will likely take time and involve substantial detail. Nonetheless, the Framework sets the direction for clarifying how trans-Atlantic data transfers and protections will be regulated once it is implemented.
Why Was the New Framework Necessary?
In 2020, the Court of Justice of the European Union (CJEU) invalidated the existing Privacy Shield that was negotiated and implemented between the EU and US six years ago, a decision that threw the area of trans-Atlantic data flows into uncertainty. Previously, by self-certifying to the Privacy Shield principles—a set of 23 principles, including notice, choice and access—US companies could demonstrate “adequate” privacy protection under the EU General Data Protection Regulation (GDPR) and be able to receive data from EU entities consistent with EU regulations.
What Did GDPR Require?
GDPR took effect in 2018 to update and unify data privacy laws across the EU. It focuses primarily on making data transfers more transparent and protecting the data and the privacy of anyone whose data is stored or processed in the EU. GDPR also requires that personal data be maintained safely and personal data must be protected against “unauthorized or unlawful processing, and against accidental loss, destruction or damage.”
GDPR contains specific rights and principles that govern how data may be legitimately collected and transferred and regarding individuals’ rights to their data and its use. For example, permitted reasons for collecting personal data are defined in the GDPR. Any data that’s collected must be for a specific and legitimate purpose and shouldn’t be used in any way beyond that intention. The regulation also suggests limits on how much data is collected, as data collection should be “limited to what is necessary in relation to the purposes for which they are processed.”
What is the Privacy Shield?
After the CJEU had held in 2015 that the US-EU Safe Harbor—which previously governed trans-Atlantic data flows—was inconsistent with EU law, the European Commission and the US Department of Commerce put in place the Privacy Shield, a set of 23 principles. As noted, in its recent decision, however, the CJEU took the view that the Privacy Shield did not ensure adequate protection required under GDPR.
The Court determined that the Privacy Shield did not ensure adequate protection because US law does not sufficiently restrict the power to implement surveillance programs and could limit the Privacy Shield principles on the basis of national security interests. It also noted that there was no adequate judicial protection against interference for those whose data was affected.
How Does the New Framework Address those Issues?
The White House and the European Commission characterized the Framework as an “unprecedented commitment” to strengthen the privacy and civil liberties safeguards governing US signals intelligence activities, addressing the concerns raised by the Court and provided three examples of how it will work:
- The United States will limit the use of signals intelligence activities to when it is “necessary to advance legitimate national security objectives,” and ensure that it does not “disproportionately” impact privacy and civil liberties.
- The United States will grant EU individuals the ability to seek redress “from a new multi-layer redress mechanism” that will include an independent Data Protection Review Court.
- Third, the United States will “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.”
What, if Anything, Should Affected Companies and Organizations Do Now?
The White House’s fact sheet notes that in order to use the new Framework when it is implemented, organizations will need to adhere to the Privacy Shield principles and self-certify their adherence through the US Department of Commerce as required under the last Privacy Shield.
Companies should also continue to ensure they have a legal basis and valid data transfer mechanisms, such as Standard Contractual Clauses (SCCs) in place for transfers of personal data out of the European Union. In June 4th, 2021, the European Commission adopted and published a new set of these SCCs providing a legal basis for international transfers of personal data from the EU/EEA to third countries. These SCCs incorporate the requirements of the EU General Data Protection Regulation (“GDPR”) and take into account the July 2020 judgment CJEU referenced above.
Further details on the Framework, however, remain to be seen. The EU will not make an “adequacy decision” until the Framework is translated into an Executive Order by the United States. In addition, a court challenge to the Framework in the CJEU appears likely, given the tortured history of EU—US data regulation.