The latest in EU-US Data Transfer Negotiations
After nearly two years of uncertainty, privacy leaders have some welcome news in the form of an announcement from the European Commission (EC) about an agreement in principle on a new Trans-Atlantic Data Privacy Framework between the European Union and the United States.
On March 25, 2022, Ursula von der Leyen, President of the European Commission, announced in a series of tweets that an agreement in principle had been reached with the U.S. on a new framework for transatlantic data flows.
This negotiation had been ongoing between the two parties since the Court of Justice in the European Union (CJEU) invalidated the EU-US Privacy Shield on June 16, 2020, in the Schrems II decision.
Standing side-by-side, von der Leyen and U.S. President Joe Biden released a joint statement confirming the breakthrough agreement.
In the joint statement, von der Leyen emphasized this new framework will “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties.”
Similarly, President Biden emphasized that the leaders had agreed “to unprecedented protections for data privacy and security for our citizens.”
Additionally, he noted“[t]his new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy.”
Next Steps to Adopting the Trans-Atlantic Data Privacy Framework
In the joint statement, von der Leyen noted that the Trans-Atlantic Data Privacy Framework is an agreement between the EU and the U.S. “in principle.”
Meaning both sides have a bit more work to do before the text is final. In laying out the next steps, both sides offered high-level overviews of what the new Framework will include.
The US has provided a press release and a fact sheet. In the press release, the U.S. identified the general commitments it would adopt by way of a presidential Executive Order in order to implement this new “breakthrough agreement.”
For example, the U.S. stated it will not only create a “new multi-layer redress mechanism that includes an independent Data Protection Review Court” but also “ensure that signals surveillance activities are necessary and proportionate the pursuit of defined national security objectives.”
Similarly, the European Commission has released its own overview of the Framework, including an insight into the key principles, the benefits, and the next steps:
- Based on the new framework, data will be able to flow freely and safely between the EU and participating U.S. companies
- A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security
- U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards
- A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court
- Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce
- Specific monitoring and review mechanisms.
The announcement immediately received criticism of a potential Schrems III case, of which both sides are committed to avoid through careful and deliberate cooperation.
The issue, identified by critics on both sides of the Atlantic, center around the permanence of an Executive Order versus statutory change.
However, this has been the major impediment throughout the negotiations, and one that has been heavily considered in crafting the impending agreement.
A permanent and successful construct to facilitate cross-border transfers between the EEA and the US has been a priority for well over a decade and this new arrangement will have been crafted to alleviate foreseeable legal objections.
Both sides assure us of this and stand firm in their intent.
When will the Trans-Atlantic Data Privacy Framework be Adopted?
While many of the details still remain unclear, the U.S. and EC have represented that the next steps will be to translate the agreement in principle into legal documents.
First, consider that the last two adequacy decisions adopted by the EU ran 93 pages (the UK) and 122 pages (South Korea). Both significantly longer than the current Privacy Shield Framework.
Also, the mechanisms the US must implement by way of the Executive Order are not trivial, especially creating a Data Protection Review Court.
That said, we will continue to monitor the developments of this agreement and look forward to updating you when the requirements have been released.
Once prepared, the agreement will be submitted to the European Data Protection Board for approval as required by the General Data Protection Regulation.
The European Data Protection Supervisor also released statements supporting the agreement in principle lauding that he “recognizes the importance of such a deal to strengthen the longstanding EU-US relationship and mutual understanding of the importance of privacy and data protection.”
But cautions that “a new framework for transatlantic data flows must be sustainable in light of requirements identified by the Court of Justice of the European Union.”
Should You Stay or Should You Go?
If you are currently part of the Privacy Shield program, we recommend you stay. Companies that have previously certified with the U.S. Department of Commerce are eagerly awaiting the final documents.
If you’re currently part of the Privacy Shield program, we recommend staying until the new agreement has been released.
Although the current EU-US Privacy Shield has been invalidated as a data transfer mechanism, it remains a set of commitments that fall under regulatory oversight from the Department of Transportation and the Federal Trade Commission (FTC).
If you’re looking for a framework that says, “I am committing to following an external set of requirements, subject to active government enforcement, that demonstrates accountability to objective third party criteria,” then you should stay a part of the Privacy Shield.
Also, when there is eventually a replacement, it will be easier to transfer to the new program.
Another good reason to stay is the complexities and consequences of withdrawal. Withdrawal is not a simple matter of pulling your name off the list of participants.
If you are currently processing data that you acquired under the Privacy Shield, you can no longer process it if you leave the program. You must delete it and inform the relevant controllers.
If you continue to process it, you could face heavy fines from the FTC, contractual issues, and both you and your controllers may face regulatory inquiries from EU regulators.
To avoid heavy fines and avoid pausing your data processing, there is an alternative to validate your international data transfers.
In addition, we welcome those companies who were previously Privacy Shield participants to return to our TRUSTe Privacy Shield Verification program.
Alternative Data Transfer Options
We highly recommend using the Standard Contractual Clauses (SCCs) as a fallback option post-Privacy Shield, as preparing your international data transfers with the SCCs will also prepare your organization to adopt the replacement to the Privacy Shield (whenever it arrives).
However, it’s worth noting that the old SCCs were easy to use out of Schrems II. Post Schrems II, for every international data transfer, you must conduct a data transfer risk assessment.
You will need to review the legislation and surveillance practices in the countries you receive data from, send data to, or where people in that country access the data, assess if it’s problematic from a European perspective, and verify if you can mitigate any risks with supplementary measures.
Mitigate Your Risks for International Data Transfers
When it comes to international data transfers, TrustArc has you covered. Understanding the risks of international data transfers is complicated, nuanced, and time-consuming.
TrustArc’s automated approach combines deep regulatory understanding and expert risk analysis, keeping your transfer assessments up to date.
TrustArc’s International Transfer Package helps organizations:
- Identify, manage, and mitigate risk through our algorithm that automatically detects data flows with transfer risk
- Conduct data transfer and risk threshold assessments
- Leverage templates that help operationalize regulatory requirements and trigger compliance mechanisms