US and EU flag on door with padlock showing Privacy Shield and EU-US data transfer

Privacy Shield Redux: Looking Ahead to a New EU-U.S. Data Transfer Framework

In today’s interconnected global environment, businesses need a predictable and streamlined legal mechanism to transfer personal data from the European Union to the United States. In light of this compelling business need, historically the European Commission and the U.S. government jointly developed frameworks to facilitate the lawful transfer of personal data.  These prior frameworks, known as the Safe Harbor and Privacy Shield (which succeeded the Safe Harbor), ultimately were both invalidated by the Court of Justice of the European Union (CJEU).  Given the 2020 invalidation of the Privacy Shield, the Biden Administration and the European Commission have taken steps toward establishing a new mechanism in support of cross-border data flows from the EU to the U.S., this time known as the Trans-Atlantic Data Privacy Framework. The new framework was first announced by President Biden and European Commission President Ursula von der Leyen in March 2022, and more recently in October 2022 President Biden signed a long-awaited Executive Order (EO) in furtherance of the commitments agreed to by the U.S.

Predecessors: The Safe Harbor and Privacy Shield

The Safe Harbor framework, issued in 2000, was an agreement between the European Commission and the U.S. Department of Commerce that provided a legal mechanism to enable the flow of personal data from the EU to the U.S. The Safe Harbor required certifying organizations to publicly represent that they complied with seven privacy principles. It was a popular choice for U.S. importers of EU personal data related to employees, customers and other individuals. In 2015, the CJEU, in a case styled Schrems I, declared the Safe Harbor invalid based largely on the lack of restrictions on the U.S. government’s collection and use of personal data transferred under the Safe Harbor framework.

In 2016 and 2017, the European Commission and Swiss government, respectively, approved a new mechanism to enable data transfers from the EU and Switzerland to the U.S. This framework, known as the EU-U.S. and Swiss-U.S. Privacy Shield Framework, like the Safe Harbor before it, provided for self-certification to a substantively similar set of seven privacy principles: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. Over the next few years, over 5,000 companies located in the U.S. certified their compliance with the Privacy Shield Principles, enabling them to rely on the Shield to freely import EU and Swiss personal data without the need for additional data transfer mechanisms.

On July 16, 2020, the CJEU, in the Schrems II case, invalidated the EU-U.S. Privacy Shield based on concerns that (1) U.S. government surveillance programs were not limited to what was “proportionate” and “strictly necessary” for their purposes, and (2) the U.S. lacked a body and means to provide redress for complaints by EU individuals regarding the treatment of their personal data that was substantially equivalent to those required under EU law. On September 8, 2020, the Federal Data Protection and Information Commissioner of Switzerland also issued an opinion that the Swiss-U.S. Privacy Shield could not be used as a legal basis to transfer personal data from Switzerland to the United States.

The Trans-Atlantic Data Privacy Framework

The sudden and unexpected invalidation of the Privacy Shield in July 2020 caused the thousands of Shield-certified U.S. companies to scramble to legalize ongoing data transfers from the EU and Switzerland. Most data exporters needed to quickly shift to using Standard Contractual Clauses in support of transfers to the U.S. and conducting transfer risk assessments also required by the Schrems II ruling, creating significant administrative burdens. In response to the ruling, EU and U.S. authorities quickly committed to re-negotiating a viable data transfer framework.

On March 25, 2022, President Biden and European Commission President von der Leyen announced an agreement in principle to launch a successor to the Privacy Shield to address the CJEU’s concerns in Schrems II. Under the agreement, the U.S. committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives. The U.S. also agreed to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.

In his EO dated October 7, 2022, President Biden directed specified actions to implement the U.S. commitments. The EO establishes additional safeguards for U.S. intelligence activities, including requirements that the privacy and civil liberties of all persons be considered regardless of nationality and that relevant intelligence activities be conducted only when necessary and proportionate to advance defined national security objectives. The EO also creates a two-tier mechanism to redress claims by data subjects that their personal data was collected or handled by the U.S. in violation of applicable U.S. law, including the EO. Under the first tier, the Office of the Director of National Intelligence would conduct an investigation to assess qualifying claims and potential remedies. Under the second tier, an independent Data Protection Review Court would render binding decisions on such complaints.

The EO does not address the commercial terms of the Privacy Shield. This is appropriate given the shortfalls identified by the CJEU in Schrems II, which focused on government surveillance and alleged redress deficiencies. The EO’s obligations are limited to U.S. government authorities; there is no direct impact on certifying businesses.

The EO represents a significant effort by the U.S. government to address the CJEU’s concerns. It is a giant step forward on the path to a renewed framework for trans-Atlantic personal data transfers.

Next Steps and Practical Advice

The next step is for the European Commission to determine whether the new U.S. commitments, including the EO, are sufficient to re-establish a framework for transfers of personal data from the EU to the U.S. This ratification is anticipated in the spring of 2023. The UK and Switzerland likely will follow suit once EU authorities approve the new vehicle.

Absent a decision in the EU that the new framework is adequate, organizations seeking to transfer EU personal data to the U.S. will need to continue to rely on available alternative mechanisms for those data transfers, such as Standard Contractual Clauses, Binding Corporate Rules, and derogations provided in the GDPR for certain limited transfers (e.g., when the transfer is necessary to perform a contract). Organizations certified to the Privacy Shield continue to be bound by their commitments unless and until they affirmatively withdraw from participation.

Because the commercial terms of the new framework are expected to mirror those of the Privacy Shield, it is advisable for organizations that are currently certified under the Privacy Shield to stay the course and remain certified. Data importers not currently certified under the Privacy Shield should keep a close eye on the landscape and, when the new mechanism is finalized, consider whether certification to the new framework would provide a more seamless data transfer solution.