What you need to know about the new Trans – Atlantic Data Privacy Framework
Tarryn Howard - Data Privacy Consultant

16 July 2020 is a very significant date in the world of privacy and data protection. The reason for this is that on this date, the Court of Justice of the European Union (CJEU) handed down the judgment[1] invalidating the Privacy Shield framework. This ruling has become known as the Schrems II ruling.

The Privacy Shield framework provided the possibility to lawfully transfer personal data from the European Union (EU) to the United States of America (US), while ensuring a strong set of protection requirements and safeguards. This framework enabled businesses located in the European Economic Area (EEA) to legally transfer personal data to businesses, which were certified as being Privacy Shield compliant. Participation in the Privacy Shield list is voluntary.

The Schrems II ruling is in line with the CJEU’s persistent strengthening of the level of protection in recent years. This is evident from the annulment of the Passenger Name Record (PNR) Agreement between the EU and US and the invalidation of the Safe Harbour Decision in the Schrems I judgment of 2015.

The Privacy Shield was introduced as a replacement for the Safe Harbour principles. Although the Privacy Shield framework addressed many of the defects of the Safe Harbour principles, many privacy lacunae remained. These privacy lacunae were repeatedly criticized, including in 2018 when the European Parliament and European Data Protection Board (EDPB) issued a resolution concerning this. Despite this, the European Commission reaffirmed the Privacy Shield mechanism by stating that the level of data protection offered by the US was adequate.


Consequences of Schrems II ruling

The invalidation of the Privacy Shield left numerous businesses wondering which mechanism can be used to transfer personal data. Businesses that had concluded Standard Contractual Clauses (SCCs) to transfer the personal data could continue to rely on this mechanism for the transfer but had to ensure that ‘additional safeguards’ were provided for. What exactly these additional safeguards entailed, was not defined. In addition, a transfer impact assessment must be conducted prior to the transfer of personal data.

In June 2021, the new, modernized SCCs were published with the caveat that all previously concluded SCCs would need to be updated to reflect the new, modernized SCCs by December 2022. Since the invalidation of the Privacy Shield, businesses are faced with more and more obligations when transferring personal data and uncertainties. One of these uncertainties is the replacement of the Privacy Shield and when it will be introduced.


A new development?

On 25 March 2022, the European Commission and the US reached an agreement in principle for a new Trans-Atlantic Data Privacy Framework. A positive first step is that the highest US authorities have committed to establishing unprecedented measures to protect the privacy and personal data of individuals in the EEA (EEA) when their personal data are transferred to the US.

"Since the invalidation of the Privacy Shield, businesses are faced with more and more obligations when transferring personal data and uncertainties."

It is said that the new Trans-Atlantic Data Privacy Framework aims to have numerous key principles which will include:

  • data will be able to flow freely and safely between the EU and participating US companies;
  • a new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
  • a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by US intelligence authorities, which includes a Data Protection Review Court;
  • strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the US Department of Commerce;
  • specific monitoring and review mechanisms.

It has also been said that this deal will contain various benefits, which include:

  • adequate protection of Europeans’ data transferred to the US, which addresses the ruling in the Schrems II ruling;
  • safe and secure data flows;
  • durable and reliable legal bases;
  • competitive digital economy and economic cooperation;
  • continued data flows underpinning €900 billion in cross-border commerce every year.


The EDPB’s response

The EDPB has welcomed the announcement of this political agreement regarding the new Trans-Atlantic Data Privacy Framework. The EDPB also views the commitment of the highest authorities in the US to establish unprecedented measures to protect the privacy and personal data of individuals in the EU when their personal data are transferred to the US as a step in the right direction. The EDPB will examine how this political agreement translates into concrete legal proposals in addressing the concerns raised by the CJEU in the Schrems II ruling.

In compliance with the GDPR, the EDPB will provide its opinions on the new Privacy Framework before it can be adopted by the European Commission. The EDPB said in a statement that it will analyse in detail the following aspects of the new Framework:

  • how these reforms ensure that the collection of personal data for national security purposes are limited to what is strictly necessary and proportionate;
  • the extent how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and fair trial. Whether any new authority part of this mechanism also has access to relevant information will also be considered;
  • whether there is a judicial remedy against this authority’s decisions or inaction.


What does this mean for your organization?

It is not clear when the EDPB will provide its opinions on the new Trans-Atlantic Data Privacy Framework or when the European Commission and the US will agree upon a new Privacy Framework. Unfortunately, this can mean months of further uncertainty for businesses while updating SCCs and conducting transfer impact assessments.

If the past is anything to go by the saying, “the more things change, the more they stay the same” is very fitting in this instance. If a ‘Privacy Shield 3’ is introduced, it must be ensured that it does not contain any privacy lacunae like its predecessor, or the privacy and data protection world will be facing Schrems III ruling.

Does your organization have questions about international data transfers to the US? Contact us at info@dpoconsultancy.nl, for any questions regarding international data transfers.

[1] Case C-311/18 – Data Protection Commissioner v Facebook Ireland and M. Schrems: https://bit.ly/3ux11oH

Road Map Transfer Impact Assessment
How to apply Privacy By Design: a starter’s guide
The GDPR, what does it mean for non-EU companies?
White paper