Future of Privacy: EU and the U.S. Agree to New Data Privacy Framework

The Biden Administration and European Commission recently announced an “agreement in principle” to replace the US-EU Privacy Shield with the Trans-Atlantic Data Privacy Framework, a new framework for governing the transfer of data between the EU and the U.S. that aims to improve data privacy protection for Europeans. After more than a year of negotiations, the announcement is a promising step towards addressing the concerns that first emerged with the July 2020 Schrems II decision by the Court of Justice of the European Union (CJEU), which found the US-EU Privacy Shield invalid. Since then, EU residents and global businesses have weathered legal uncertainty around personal data processing for EU data subjects. 

The new data privacy framework, otherwise known as Privacy Shield 2.0, aims to address the CJEU's concerns about the original US-EU Privacy Shield. These concerns primarily relate to U.S. data surveillance laws and center around the scope and permissibility of U.S. national security surveillance activity, and the availability of a redress mechanism for Europeans whose personal data may have been improperly collected and used by U.S. intelligence agencies. The new framework aims to clear up any ambiguities around U.S. surveillance practices with respect to the personal data of Europeans. Upon implementation, the law will also create an independent data protection review court to review and redress instances of improper surveillance. 

Key principles of the Trans-Atlantic Data Privacy Framework include: 

The ability for data to flow freely and safely between the EU and participating U.S. companies,

Assurances that the U.S. will establish a two-level independent redress system to investigate and resolve complaints, 

A new set of rules and binding safeguards to limit surveillance and the access of personal data by U.S. intelligence authorities to only what is “necessary and proportionate” to protect national security, 

Maintaining requirements for US-EU businesses to comply, including the requirement of self-certification, via the Department of Commerce. 

The agreement in principle will soon be translated into legal documents, with President Biden signing an Executive Order that will form the basis of a draft adequacy decision by the European Commission. Until the Trans-Atlantic Data Privacy Framework is signed into law, experts maintain that businesses should continue to rely on binding corporate rules, maintaining data on servers located in the EU, and other US-EU Privacy Shield standards. Already, tech companies have pledged support for the Trans-Atlantic Data Privacy Framework, and are expanding existing corporate data protection to ensure compliance. Microsoft, for example, detailed its commitments to the new framework and shared initial plans for enhancing the handling of legal requests concerning customer data and providing further support for individuals who are concerned about their rights and personal data protection. 

“Coupled with similar developments, like the Digital Services Act, it’s clear the European Union aims to develop and uphold the gold standard for data protection and privacy,” said Ed Grice, head of EMEA at PMG. “By taking the first steps in advocating for better data privacy for its citizens, the Trans-Atlantic Data Privacy Framework is the EU’s way of ensuring safeguards globally.” 

In the months to come, we can expect further details about the redress mechanisms and any new data protection requirements businesses will need to comply with before Privacy Shield 2.0 is signed into law. While it remains to be seen if the new data protection framework fully addresses the concerns of the CJEU and can withstand legal scrutiny, the announcement of such plans signals the EU and the U.S. are committed to facilitating the transfer of transatlantic data and ensuring adequate safeguards are in place to protect the data privacy of consumers.