Data transfer to the US: is Privacy Shield 2.0 in the making?

28th April 2022

The European Commission and the United States have announced a new data transfer mechanism, following the invalidation of Privacy Shield in July 2020.

Background

As data privacy experts may remember, in July 2020 the Privacy Shield data transfer mechanism (which applied to transfers of European data to accredited US companies) was invalidated following the ECJ decision in Schrems II.

The latest development

On 25 March 2022, the European Commission and the United States announced that they had reached an agreement in principle on a brand new Trans-Atlantic Data Privacy Framework.

Following a high-profile announcement, the joint statement said that the Framework would include:

A new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. Intelligence agencies will adopt procedures to ensure effective oversight.
A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
Specific monitoring and review mechanisms.

The full text of the agreement is not yet available and there is some scepticism as to how this will address the issues of US intelligence surveillance which were raised in the Schrems II case.

What does this mean for businesses?

Once implemented, this new Framework will provide a lawful basis for the transfer of personal data from the EU to the US.

In order to be effective, this agreement now needs to be incorporated into legally binding documents. An Executive Order in the US will form the basis of a draft adequacy decision by the European Commission, which will then need to be formally adopted under GDPR. In practice, it may be some time before companies can rely upon this mechanism and it will be subject to challenge by Max Schrems (the privacy campaigner who was responsible for the case according to which Privacy Shield was invalidated).

This Framework would not apply to transfer of data from the UK to the US as it is no longer a member of the European Union.

If you have any questions about data privacy please contact Deborah Margolis or Darren Isaacs.

Twitter

Healthcare for female employees is a key area for businesses in the bid to retain and recruit talented people, but could new women’s health apps breach data privacy – potentially leading to serious consequences for women working in the US in the wake of the overruling of Wade v Roe? Alison Sneddon and Deborah Margolis investigate.Read More »

Women’s health, the workplace and ‘big data’ – what’s the connection?

MEDIA COVERAGE

Data transfer to the US: is Privacy Shield 2.0 in the making?

Background

The latest development

What does this mean for businesses?

Related Articles

Women’s health, the workplace and ‘big data’ – what’s the connection?

Irish court rules on lawfulness of use of CCTV in disciplinary proceedings

The risks of sexual harassment in the metaverse

UK to shift away from GDPR

“One size fits all” data retention policies: a unicorn for international employers?

UK GDPR reforms a “blunt instrument” with cross-border consequences

UK data privacy regulator publishes guidance following relaxation of covid measures

Increase in workplace monitoring – how can employers ensure that it is legally compliant?

Data Subject Access Requests (DSARs)