The European Commission and the United States have announced a new data transfer mechanism, following the invalidation of Privacy Shield in July 2020.
As data privacy experts may remember, in July 2020 the Privacy Shield data transfer mechanism (which applied to transfers of European data to accredited US companies) was invalidated following the ECJ decision in Schrems II.
On 25 March 2022, the European Commission and the United States announced that they had reached an agreement in principle on a brand new Trans-Atlantic Data Privacy Framework.
Following a high-profile announcement, the joint statement said that the Framework would include:
The full text of the agreement is not yet available and there is some scepticism as to how this will address the issues of US intelligence surveillance which were raised in the Schrems II case.
Once implemented, this new Framework will provide a lawful basis for the transfer of personal data from the EU to the US.
In order to be effective, this agreement now needs to be incorporated into legally binding documents. An Executive Order in the US will form the basis of a draft adequacy decision by the European Commission, which will then need to be formally adopted under GDPR. In practice, it may be some time before companies can rely upon this mechanism and it will be subject to challenge by Max Schrems (the privacy campaigner who was responsible for the case according to which Privacy Shield was invalidated).
This Framework would not apply to transfer of data from the UK to the US as it is no longer a member of the European Union.