President Biden and EU leaders announced on March 25, 2022 an agreement in principle to craft a replacement for the Privacy Shield and expand options for trans-Atlantic data transfers in accordance with the General Data Protection Regulation (“GDPR”).
The GDPR requires that transfers of personal data of EU residents to countries outside of the EU must take place pursuant to an approved transfer mechanism, provided the recipient country has not received a decision by the European Commission that the its data protection laws are adequate. Various states – including Canada, Israel, Japan, South Korea, and the UK – are considered by the European Commission to have “adequate” data protection laws. Importantly, the United States has never received such a determination. Since the GDPR went into effect, the U.S.’s status has left few avenues for lawful transfers to the United States.When the GDPR came into force, most transfers took place pursuant either to Standard Contractual Clauses approved by the EU Commission, or to the Privacy Shield, a self-certification program where recipient companies would undertake certain responsibilities to protect the data they received.
Options have grown still more limited since July 2020, when the European Court of Justice invalidated the Privacy Shield as a legal transfer mechanism. It based its concerns on domestic surveillance by the U.S. government.
Meet the New Trans-Atlantic Data Privacy Framework, Same as the Old Trans-Atlantic Data Privacy Framework
Although the White House has released only an overview of the new framework, it appears to be aimed squarely at addressing the legal rationale for the invalidation of the Privacy Shield. The White House states that, under the new deal, “signals intelligence activities” – that is, the interception of electronic communications – carried out by the United States government with respect to EU personal data will be “necessary and proportionate in the pursuit of defined national security objectives,” and that the deal will “create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.” In other words, the substantive crux of the deal is aimed at the U.S. government, not private entity data protection.
For private companies, early indications suggest that the new framework will require adherence to essentially the same Framework Principles that were used for compliance with the Privacy Shield, such as giving notice of data processing, giving individuals meaningful choices regarding their data, and remaining accountable for onward transfers of data. The White House has also suggested that the self-certification mechanism supervised by the U.S. Department of Commerce will continue to be used. In other words, after a two year hiatus, companies may find themselves picking up where they left off.
Seeking Counsel Ahead
Foley Hoag will continue to monitor the negotiations as they progress towards binding legal documents to be adopted both in the United States and the EU. Even at this early stage, though, companies can begin to prepare for the new regime by seeking counsel as to how to comply with the Privacy Shield Framework Principles upon the basis of existing Privacy Shield guidance.