Data transfer to the US: is Privacy Shield 2.0 in the making?

28th April 2022

The European Commission and the United States have announced a new data transfer mechanism, following the invalidation of Privacy Shield in July 2020.

Background

As data privacy experts may remember, in July 2020 the Privacy Shield data transfer mechanism (which applied to transfers of European data to accredited US companies) was invalidated following the ECJ decision in Schrems II.

The latest development

On 25 March 2022, the European Commission and the United States announced that they had reached an agreement in principle on a brand new Trans-Atlantic Data Privacy Framework.

Following a high-profile announcement, the joint statement said that the Framework would include:

A new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. Intelligence agencies will adopt procedures to ensure effective oversight.
A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
Specific monitoring and review mechanisms.

The full text of the agreement is not yet available and there is some scepticism as to how this will address the issues of US intelligence surveillance which were raised in the Schrems II case.

What does this mean for businesses?

Once implemented, this new Framework will provide a lawful basis for the transfer of personal data from the EU to the US.

In order to be effective, this agreement now needs to be incorporated into legally binding documents. An Executive Order in the US will form the basis of a draft adequacy decision by the European Commission, which will then need to be formally adopted under GDPR. In practice, it may be some time before companies can rely upon this mechanism and it will be subject to challenge by Max Schrems (the privacy campaigner who was responsible for the case according to which Privacy Shield was invalidated).

This Framework would not apply to transfer of data from the UK to the US as it is no longer a member of the European Union.

If you have any questions about data privacy please contact Deborah Margolis or Darren Isaacs.

Twitter

Employers often want to have a data retention policy which works for all of their international operations. We look at the challenges with this approach and how to make it work in practice.Read More »

“One size fits all” data retention policies: a unicorn for international employers?

NEWS

Data transfer to the US: is Privacy Shield 2.0 in the making?

Background

The latest development

What does this mean for businesses?

Related Articles

“One size fits all” data retention policies: a unicorn for international employers?

UK GDPR reforms a “blunt instrument” with cross-border consequences

UK data privacy regulator publishes guidance following relaxation of covid measures

Increase in workplace monitoring – how can employers ensure that it is legally compliant?

Data Subject Access Requests (DSARs)

Three Senior Lawyers join M&A Support Team at employment law firm GQ|Littler

Lexology interviews GQ|Littler: Remote working in Ireland

US firms mandate vaccines while European employers are more cautious

Sports in the news – what do the employment lawyers think this November?