The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.
Under the proposed Trans-Atlantic Data Privacy Framework, the United States has made commitments to:
- Strengthen the safeguards governing U.S. signals intelligence activities, by for example, ensuring such activities are undertaken only where necessary to advance legitimate national security objectives;
- Establish a new multi-layered redress mechanism that includes an independent Data Protection Review Court composed of individuals from outside the U.S. Government; and
- Enhance existing oversight with U.S. intelligence agencies adopting procedures to ensure effective oversight of new privacy and civil liberties standards.
Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolutions and binding arbitration.
The European Commission and U.S. Government teams will now continue in their cooperation to finalize the necessary legal documents that will then need to be adopted on both sides to put in place the new Trans-Atlantic Data Privacy Framework. On the U.S. side, it is expected that this will include an Executive Order that will form the basis for the European Commission’s assessment of the adequacy of the eventual agreement in detail.