The Privacy shield is dead, long live the Trans-Atlantic Data Privacy Framework !

On the 25th of March 2022, the European Union and the U.S announced they had agreed ‘in principle’ to a new framework for cross-border data transfers. [1] Due to the lengthiness and the difficulty of the negotiation, this announcement came as surprise. According to President Joe Biden, ‘this framework underscored [the EU and the U.S] shared commitment to privacy, to data protection and the rule of law’. Further, the new agreement will ‘enable predictable and trustworthy data flows between the EU and US, safeguarding the privacy and civil liberties’  said European Commission President Ursula von der Leyen.

The White House[2] and the European Commission[3] have recently released a ‘fact sheet’ providing details on the Trans-Atlantic Data Privacy Framework. The key principles are the following:

• 1.Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
• 2.EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• 3.U.S intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
• 4.Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.

This announcement is quite unexpected. Indeed, the recent ruling of the US Court allowing US authorities to withhold information on national security grounds whenever Europeans wanted to challenge how they were monitored, appeared for several commentators as a step back.

Further, with the lengthiness of the negotiation, European data protection authorities such as France, the Netherlands, and Austria started to ban local companies from moving data to the US.

This new Trans-Atlantic Data Privacy Framework aims at offering adequate protection of Europeans’ data transferred to the US, addressing the ruling of the European Court of Justice (Schrems II), safe and secure data flows, durable and reliable legal basis, and a competitive digital economy and economic cooperation. For now, the agreement will be translated into legal documents and the U.S commitments will be included in an Executive Order. This will form the basis of a draft adequacy decision by the Commission to put in place the new Trans-Atlantic Data Framework.

[1] Joint Statement on Trans-Atlantic Data Privacy Framework (europa.eu)

[2] FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House

[3] Trans-Atlantic Data Privacy Framework (europa.eu)