In late March, the United States and the European Union signed a new framework that will modify the Privacy Shield principles that had governed transatlantic transfers of data by companies and organizations since 2016.
It’s important to note that the Transatlantic Data Privacy Framework is not a regulation. It sets out the principles that the EU and US will follow in subsequent implementing regulations, a process that will likely take time and involve substantial detail. Nonetheless, the Framework sets the direction for clarifying how transatlantic data transfers and protections will be regulated once it is implemented.
In 2020, the Court of Justice of the European Union (CJEU) invalidated the existing Privacy Shield that was negotiated and implemented between the EU and US six years ago, a decision that threw the area of transatlantic data flows into uncertainty. Previously, by self-certifying to the Privacy Shield principles—a set of 23 principles, including notice, choice and access—US companies could demonstrate “adequate” privacy protection under the EU General Data Protection Regulation (GDPR) and be able to receive data from EU entities consistent with EU regulations.
GDPR took effect in 2018 to update and unify data privacy laws across the EU. It focuses primarily on making data transfers more transparent as well as protecting the data and the privacy of anyone whose data is stored or processed in the EU. GDPR also requires that personal data be maintained safely and protected against "unauthorized or unlawful processing, and against accidental loss, destruction or damage."
GDPR contains specific rights and principles that govern how data may be legitimately collected and transferred while regarding individuals’ rights to their data and its use. For example, permitted reasons for collecting personal data are defined in the GDPR. Any data that's collected must be for a specific and legitimate purpose and shouldn't be used in any way beyond that intention. The regulation also suggests limits on how much data is collected, as data collection should be "limited to what is necessary in relation to the purposes for which they are processed."
After the CJEU had held in 2015 that the US–EU Safe Harbor—which previously governed transatlantic data flows—was inconsistent with EU law, the European Commission and the US Department of Commerce put in place the Privacy Shield, a set of 23 principles. However, in its recent decision the CJEU took the view that the Privacy Shield did not ensure adequate protection required under GDPR.
The Court determined that the Privacy Shield did not ensure adequate protection because US law does not sufficiently restrict the power to implement surveillance programs and could limit the Privacy Shield principles on the basis national security interests. It also noted that there was no adequate judicial protection against interference for those whose data was affected.
The White House and the European Commission characterized the Framework as an “unprecedented commitment” to strengthen the privacy and civil liberties safeguards governing US signals intelligence activities, addressing the concerns raised by the Court. They provided three examples of how it will work:
The White House’s fact sheet notes that in order to use the new Framework when it is implemented, organizations will need to adhere to the Privacy Shield principles and self-certify their adherence through the US Department of Commerce as required under the last Privacy Shield.
Companies should also continue to ensure they have a legal basis and valid data transfer mechanisms, such as Standard Contractual Clauses (SCCs) in place for transfers of personal data out of the European Union. On June 4, 2021, the European Commission adopted and published a new set of these SCCs providing a legal basis for international transfers of personal data from the EU/EEA to third countries. These SCCs incorporate the requirements of the EU GDPR and take into account the July 2020 judgment CJEU referenced above.
Further details on the Framework, however, remain to be seen. The EU will not make an “adequacy decision” until the Framework is translated into an Executive Order by the United States. In addition, a court challenge to the Framework in the CJEU appears likely, given the tortured history of EU–US data regulation.
Understanding the principles outlined in the new Transatlantic Data Privacy Framework—and their implications on subsequent regulations—can help your organization ensure it is up to date on the latest guidance around data privacy and protection. You can learn more about the evolving digital and data privacy landscapes through these additional LRN resources:
This article was originally published in The Compliance & Ethics Blog.