The U.S. and EU Announce an “Agreement in Principle” to Replace the EU-U.S. Privacy Shield Framework: What Employers Need to Know

On March 25, 2022, the European Union (EU) announced that the United States and the EU had reached an agreement in principle to replace the EU-U.S Privacy Shield framework, which the European Court of Justice (CJEU) struck down in its July 2020 Schrems II decision. Since the Schrems II decision, U.S. and EU negotiators have been hammering out a workable data transfer mechanism to permit the transfer of EU data to the United States.

What does the agreement provide?

The White House and European Commission each issued fact sheets that outline some of the details of the new agreement.  The new data transfer framework will be called the “Trans-Atlantic Data Privacy Framework” (TADPF) and will address the concerns raised by the CJEU in the Schrems II decision regarding the expansive data collection activities of U.S. intelligence agencies and the lack of judicial remedies under U.S. laws for EU data subjects whose data is collected by these agencies. Specifically, the TADPF will ensure that:

Companies and organizations that implement the TADPF will be required to comply with many of the Privacy Shield principles, including the requirement to self-certify their compliance through the U.S. Department of Commerce. Additionally, like under the Privacy Shield, EU individuals will continue to have access to multiple avenues of recourse to resolve complaints against participating TADPF organizations, including through alternative dispute resolution and binding arbitration.

What are the next steps for the new framework?

The U.S. government and the European Commission will translate this agreement into legal documents that will need to be adopted on both sides to implement the TADPF. The United States will document its commitments in an executive order that will form the basis of the European Commission’s assessment in its future adequacy decision.

Thereafter, the European Commission must follow a multi-step process for issuing the adequacy decision for the new framework. First, the EU Commission must draft a written proposal for the adequacy decision. Second, the European Data Protection Board (EDPB) must review and issue an opinion regarding the proposal. Third, representatives of the EU countries must approve the proposal.  Fourth and finally, the European Commission must formally issue an adequacy decision finding that the new framework provides protections for EU data that are essentially equivalent to those provided under EU law, i.e., the EU General Data Protection Regulation (GDPR).

This multi-step process will take time. For example, the process for issuing the adequacy decision for the Privacy Shield framework took six months from the European Commission’s proposal in February 2016 to the adoption the adequacy decision in August 2016.

Will the new framework be upheld by the CJEU?

This is the key question. The CJEU has twice invalidated data transfer mechanisms between the EU and United States, the EU-U.S. Safe Harbor Framework in 2015 (the Schrems I decision) and the Privacy Shield in Schrems II, because of concerns regarding the collection activities of U.S. intelligence agencies and the lack of legal remedies for EU data subjects. Austrian privacy activist, Max Schrems who initiated the legal cases that resulted in both the Schrems I and Schrems II decisions, has already indicated that he will challenge the TADPF.

One thorny legal issue will be whether EU data subjects have an effective legal mechanism to challenge the U.S. government’s collection of their data under the TADPF. Currently, the ability of an EU data subject to obtain judicial redress against the U.S. government regarding its surveillance activities is severely restricted because U.S. surveillance activities are highly secret and EU data subjects must overcome the formidable obstacle of showing they have standing to sue the U.S. government because they have been harmed by these secretive practices.

What do employers need to know?

The key takeaways for EU companies and U.S. companies with employees in the EU are:

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
National Law Review, Volumess XII, Number 90