EU and US agree on new international data transfer arrangements for an ‘enhanced’ Privacy Shield framework
On 25 March 2022, in a joint press conference, European Commission President Ursula von der Leyen and US President Joe Biden announced their ‘in principle’ agreement on a new framework to govern transatlantic data transfers between the EU and the US, intended to replace the previous EU-US Privacy Shield framework and referred to commonly as ‘Privacy Shield 2.0’.
The EU-US Privacy Shield was a mechanism for transfers of personal data from EU companies to companies in the US that adhered to the mechanism which was in place since 2016. On 16 July 2020, the European Court of Justice invalidated the EU-US Privacy Shield while confirming the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU/EEA.
In a joint statement made by European Commissioner for Justice Didier Reynders and US Secretary of Commerce Gina Raimondo, the negotiations for the establishment of Privacy Shield 2.0 “underscore our shared commitment to privacy, data protection and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies”.
In addition, the European Commission President Ursula von der Leyen and US President Joe Biden in their joint speech given in Brussels, indicated that the agreement will “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties”.
The White House issued a fact sheet on 25 March announcing its commitment to the new framework, in which it states that the US has made unprecedented commitments to:
- Strengthen the privacy and civil liberties safeguards governing US signals intelligence activities
- Establish a new redress mechanism with independent and binding authority
- Enhance its existing rigorous and layered oversight of signals intelligence activities
The fact sheet further states that the new transatlantic data-transfer agreement will ensure that:
- Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties
- EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed
- US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards
You can find further analysis on the impact of the 2016 Schrems II judgement which struck down the EU-US Privacy Shield here.
The joint press statement given in Brussels can be found here.
The joint statement by US Secretary of Commerce Gina Raimondo and European Commissioner for Justice Didier Reynders can be found here.
The White House Fact sheet can be found here.