The Biden Administration and the European Commission have taken steps toward establishing a new mechanism in support of cross-border data flows from the EU to the U.S., known as the Trans-Atlantic Data Privacy Framework. Here are the next steps for organizations seeking to transfer EU personal data to the U.S.
The EU and US have reached an agreement in principle on a Privacy Shield replacement, but details of the data transfer deal are not yet available to the public.
With companies no longer able to rely on Privacy Shield for protection, companies have two main options available to them: to localize data storage and/or to strengthen their SCCs.
It appears that for some, including the biggest names in tech, the possibility of pulling out of Europe over the new Schrems data transfer requirements is not entirely off the table.
In the well-reported cases of both TikTok and Privacy Shield, governments took decisive action to protect their residents from potential abuse by other governments. These cases present businesses with steps they can take to adjust to the evolving environment.
Following the Schrems II ruling and invalidation of the US-EU Privacy Shield, the Council of Europe has said that intelligence services need to stop spying on individuals’ digital communications.
There was some question as to whether Schrems II would extend to the similar Swiss-US Privacy Shield agreement, and that question has now been answered.
Max Schrems, chairperson of noyb, has directed his organization to file over 100 privacy complaints against major businesses engaging in data transfers with the US.
Without serious privacy reform and a federal law in the US, it may not be possible to draft a Privacy Shield framework that survives another round in the EU court system.
While confirming that SCCs are valid with the Privacy Shield gone, the CJEU underlined that they can only be relied upon when risks have been properly assessed and cannot amount to a “tickbox exercise.