Agreement For A New Trans-Atlantic Data Privacy Framework Announced

On March 25, 2022, the United States and European Commission announced by joint statement an agreement in principle on a new Trans-Atlantic Data Privacy Framework (the “Framework”). The Framework would replace the U.S.-EU Privacy Shield Framework, which the Court of Justice of the European Union (CJEU) invalidated as inadequate in the July 2020 Schrems II decision (analyzed here). If finalized, the Framework would enable critical data flows between the United States and Europe that underpin more than $1 trillion in cross-border commerce every year.

The joint statement and the U.S.-issued fact sheet highlight that the Framework would:

  • Create a two-level independent redress mechanism featuring a “Data Protection Review Court” consisting of adjudicators outside of the U.S. government with binding authority to direct remedial measures for EU individuals if they believe they have been unlawfully targeted by U.S. signals intelligence activities or subjected to unlawful U.S. intelligence data processing;
  • Introduce new safeguards to ensure that U.S. signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives;
  • Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities; and
  • Enhance existing rigorous and layered oversight of signals intelligence activities.

The U.S. commitments would be included in an Executive Order and implemented through new policies implemented by the U.S. intelligence community. The Executive Order would form the basis of the Commission’s assessment in its future adequacy decision. The terms of the agreement for the Framework itself also remain to be reduced to writing by the negotiators, with additional process and implementation requirements by the parties.

The announcement is a positive development for those awaiting an update on more than a year of detailed negotiations, led by U.S. Secretary of Commerce Gina Raimondo the EU Commissioner for Justice Didier Reynders. Since Schrems II’s invalidation of Privacy Shield, companies have been required to rely on Standard Contractual Clauses (which were recently updated) or other cross-border data transfer mechanisms, with enhanced diligence regarding data transfer impacts. If the Framework is deemed adequate by the European Commission, companies will gain an important legal mechanism for facilitating cross-border data transfers.

The legal viability – and therefore the longevity – of the Framework remains unclear.

Under U.S. law, it is far from clear that the proposed Framework can be adopted via Executive Order and implemented by the U.S. intelligence community unless Congress also amends the relevant statutes governing the intelligence activities at issue, and Congressional support for this effort cannot be assumed. Seeking to implement the Framework without the involvement of Congress would also raise separation of powers issues that could lead U.S. courts to overturn the Framework if challenged.

From an EU perspective, the CJEU may not be as easily convinced of the adequacy of the new protections and safeguards to be implemented under the new Framework as the European Commission. The U.S.-EU Privacy Shield framework, which the CJEU invalidated in July 2020, was a replacement for the earlier U.S.-EU Safe Harbor framework, which the CJEU invalidated in October 2015. The new Framework undoubtedly would be challenged, and it is unclear whether the new Framework would be different enough from past frameworks to survive challenge and review by the CJEU. However, as with past frameworks, the new Framework would, at a minimum, provide additional measures while judicial review is pending, which would be an improvement over the current state of affairs. For now, companies should continue to rely on independent adequacy safeguards such as standard contractual clauses.

For more information about these cross-border data transfer developments, please contact Allison J. Bender, Todd Daubert, Simon Elliott, or Michael E. Kar or another member of Dentons’ global privacy and cybersecurity team.

For more information about Denton’s data expertise and how we can help, please see our Cybersecurity and Data Breach Response page and our unique Dentons Data suite of data solutions for every businessincluding enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.

Subscribe and stay updated
Receive our latest blog posts by email.
Allison Bender

About Allison Bender

Allison’s practice focuses on risks associated with data and technology. She advises companies and boards on cybersecurity, data governance, privacy compliance, product counselling, cyber preparedness, incident response, crisis management, and public policy. With nearly a decade of prior government experience at the US Department of Homeland Security before joining private practice, clients benefit from Allison’s insights on data, technology, and regulation from a cybersecurity and national security perspective, including on cutting-edge issues like artificial intelligence, big data, the blockchain and cryptocurrency, and biometrics. She leads the privacy and cybersecurity team for Dentons’ Venture Technology and Emerging Growth Companies group.

Full bio

Todd Daubert

About Todd Daubert

Todd Daubert is a partner in Dentons' Washington, DC, office and chair of the Firm's Communications and Technology sectors. Todd has nearly two decades of experience advising companies that develop, integrate and deploy new technologies in transactional, regulatory, litigation and appellate matters. Leveraging a background in engineering, Todd crafts innovative solutions that help clients, from startups to global players, achieve their strategic objectives and minimize their risks, resulting in improved business results and profitability.

Full bio

Simon Elliott

About Simon Elliott

Simon focuses on advising multinational corporates on a wide range of data protection and technology law issues.

Full bio

Michael Kar

About Michael Kar

Michael E. Kar, CIPP/US/E is a Managing Associate in the Dentons Venture Technology and Emerging Growth Companies group. Michael’s practice focuses on data privacy compliance and information security.

Full bio