On March 25, 2022, the United States and European Commission announced by joint statement an agreement in principle on a new Trans-Atlantic Data Privacy Framework (the “Framework”). The Framework would replace the U.S.-EU Privacy Shield Framework, which the Court of Justice of the European Union (CJEU) invalidated as inadequate in the July 2020 Schrems II decision (analyzed here). If finalized, the Framework would enable critical data flows between the United States and Europe that underpin more than $1 trillion in cross-border commerce every year.
The joint statement and the U.S.-issued fact sheet highlight that the Framework would:
- Create a two-level independent redress mechanism featuring a “Data Protection Review Court” consisting of adjudicators outside of the U.S. government with binding authority to direct remedial measures for EU individuals if they believe they have been unlawfully targeted by U.S. signals intelligence activities or subjected to unlawful U.S. intelligence data processing;
- Introduce new safeguards to ensure that U.S. signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives;
- Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities; and
- Enhance existing rigorous and layered oversight of signals intelligence activities.
The U.S. commitments would be included in an Executive Order and implemented through new policies implemented by the U.S. intelligence community. The Executive Order would form the basis of the Commission’s assessment in its future adequacy decision. The terms of the agreement for the Framework itself also remain to be reduced to writing by the negotiators, with additional process and implementation requirements by the parties.
The announcement is a positive development for those awaiting an update on more than a year of detailed negotiations, led by U.S. Secretary of Commerce Gina Raimondo the EU Commissioner for Justice Didier Reynders. Since Schrems II’s invalidation of Privacy Shield, companies have been required to rely on Standard Contractual Clauses (which were recently updated) or other cross-border data transfer mechanisms, with enhanced diligence regarding data transfer impacts. If the Framework is deemed adequate by the European Commission, companies will gain an important legal mechanism for facilitating cross-border data transfers.
The legal viability – and therefore the longevity – of the Framework remains unclear.
Under U.S. law, it is far from clear that the proposed Framework can be adopted via Executive Order and implemented by the U.S. intelligence community unless Congress also amends the relevant statutes governing the intelligence activities at issue, and Congressional support for this effort cannot be assumed. Seeking to implement the Framework without the involvement of Congress would also raise separation of powers issues that could lead U.S. courts to overturn the Framework if challenged.
From an EU perspective, the CJEU may not be as easily convinced of the adequacy of the new protections and safeguards to be implemented under the new Framework as the European Commission. The U.S.-EU Privacy Shield framework, which the CJEU invalidated in July 2020, was a replacement for the earlier U.S.-EU Safe Harbor framework, which the CJEU invalidated in October 2015. The new Framework undoubtedly would be challenged, and it is unclear whether the new Framework would be different enough from past frameworks to survive challenge and review by the CJEU. However, as with past frameworks, the new Framework would, at a minimum, provide additional measures while judicial review is pending, which would be an improvement over the current state of affairs. For now, companies should continue to rely on independent adequacy safeguards such as standard contractual clauses.
For more information about these cross-border data transfer developments, please contact Allison J. Bender, Todd Daubert, Simon Elliott, or Michael E. Kar or another member of Dentons’ global privacy and cybersecurity team.
For more information about Denton’s data expertise and how we can help, please see our Cybersecurity and Data Breach Response page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.