The United States and European Commission Announce a New Trans-Atlantic Data Privacy Framework

April.05.2022

The United States ("U.S.") and the European Commission ("EU Commission") recently announced an “agreement in principle” to develop a new Trans-Atlantic Data Privacy Framework (“Framework”). The Framework is intended to re-establish a legal mechanism for transfers of EU personal data to the U.S. after the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield over concerns about the breadth of U.S. surveillance laws in its Data Protection Commission v. Facebook Ireland and Maximillian Schrems (“Schrems II”) judgment on July 16, 2020.

In a joint statement, U.S. President Joseph Biden and European Commission President Ursula von der Leyen emphasized the Framework's shared commitments to advance privacy, data protection, the rule of law and security. They noted that the new Framework would “enhance the previously invalidated Privacy Shield framework” to help small and large companies compete in the digital economy and support the continued flow of data underpinning more than $1 trillion in cross-border commerce annually.

Background

Following the invalidation of the EU-U.S. Privacy Shield in Schrems II, regulators scrambled to negotiate a new framework to enable companies to continue to transfer data to the U.S.

Now, after more than a year of negotiations between the U.S. and the EU, the U.S. committed to incorporating new safeguards to form a durable and reliable basis for the European Commission’s future adequacy decision regarding protections afforded to EU personal data transferred into the U.S. The joint announcement focused on trying to address several concerns highlighted by the Court in Schrems II by committing to several new data protection measures to be implemented by the U.S. intelligence community.

The Framework will build on the structure of the previously invalidated Privacy Shield framework and will focus on several key principles and actions. The Framework includes:

The free and safe flow of data between the EU and participating U.S. companies.
The enactment of rules and binding safeguards to limit access to data by U.S. intelligence authorities to only what is “necessary and proportionate” to advance defined national security objectives and without disproportionately impacting the protection of privacy and civil liberties.
The creation of a two-tier redress system to investigate and resolve EU data subjects’ complaints regarding access of data by U.S. intelligence authorities including the creation of a Data Protection Review Court that would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as necessary. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints regarding participating companies, including options for alternative dispute resolution and binding arbitration.
The obligation for companies processing data transferred from the EU to meet high standards including requirements to adhere to, and self-certify their adherence to, the Privacy Shield Principles under the oversight of the U.S. Department of Commerce.
The encouragement of U.S. intelligence agencies to adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
The development of specific monitoring and review mechanisms.

For now, many of the details are still unknown and the White House has indicated that additional information is forthcoming in an Executive Order and the adoption of legal documents to effectuate the new Framework in both the U.S. and the EU.

Initial Responses

Max Schrems, the lead litigant in Schrems II, issued a statement through his nonprofit organization, noyb (“None of Your Business”). Schrems stated that the announcement was solely “a political announcement” and that until there was a final text to review, the Framework could be months away from implementation. Additionally, Schrems indicated that he would review the text, when issued, closely and was “likely to challenge” it if deemed not to be in line with EU law. Noyb speculated that this may lead to “legal uncertainty for the time being.”

Key Takeaways

The new Framework includes “unprecedented” commitments by the U.S. to privacy, data protection and security with the goal of encouraging cross-border data flows. The U.S. will augment the previously invalidated Privacy Shield framework and strengthen its privacy and data protection activities. Together, the U.S. government and the European Commission will continue working to formalize their commitment to form the Trans-Atlantic Data Privacy Framework.

If you have questions about how the new Framework may impact your business operations, please contact a member of Orrick's Cyber, Privacy & Data Innovation team.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Michaela Frai Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 617 880 2248
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Michaela Frai Associate

New York

Michaela helps clients build global privacy programs and advises on United States (U.S.) state and federal consumer privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act. Her work also includes counseling on compliance with the General Data Protection Regulation (GDPR).