On March 25, 2022, President of the European Commission, Ursula von der Leyen announced an agreement in principle has been made on a new framework for transatlantic data flows. EU and US negotiators have been working towards a solution for EU-US data flows since the invalidation of the EU-US Privacy Shield in the Schrems II decision. Since the statement was made, parties on both sides of the negotiating table have confirmed that talks are intensifying and have emphasized the importance of re-establishing an agreement for transatlantic data flows and the benefits for the economy and society in both the EU and the US.
While the finer details of the agreement are deliberated, the news of a breakthrough on a new framework for EU-US data transfers will be welcomed by privacy professionals who have been navigating uncertain waters for the best part of two years.
At What Stage Are the Negotiations on the EU-US Framework for Transatlantic Data Flows?
In a series of statements published to Twitter on Friday morning, von der Leyen wrote: “Pleased that we found an agreement in principle on a new framework for transatlantic data flows. It will enable predictable and trustworthy 🇪🇺🇺🇸 data flows, balancing security, the right to privacy and data protection. This is another step in strengthening our partnership.”
Following the announcement on Twitter, the European Commission published a statement made by President von der Leyen in which she underlined the agreement in principle that had been reached and noted that the new framework would “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties”
“And we also need to continue adapting our own democracies to a changing world. This is particularly true when it comes to digitalisation, in which the protection of personal data and privacy has become so crucial. Therefore, I am very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties. I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past months to find a balanced and effective solution. This is another step in strengthening our partnership. We manage to balance security and the right to privacy and data protection.” – Ursula von der Leyen, President of the European Commission
Further to the statements made by President von der Leyen, EU Commissioner for Justice, Didier Reynders, and U.S. Secretary of Commerce, Gina Raimondo, published a joint statement confirming that negotiations were intensifying over a new framework from transatlantic data flows and that “facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic.”
In a statement published by the White House President Joe Biden remarked “we’ve agreed to unprecedented protections for data privacy and security for our citizens. This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy.”
Following the initial statements published by both the White House and the EU, the White House published a factsheet related to the announcement. The factsheet outlines the commitment that the US has made to implement new safeguards that will ensure surveillance activities in the pursuit of national security are necessary and proportionate. The new framework would require US intelligence agencies to adopt procedures to ensure effective oversight of new privacy and civil liberties standards. The factsheet also includes further information on a new mechanism to allow EU individuals to seek redress if they feel they have been unlawfully targeted by US surveillance activities.
What Impact Will a New EU-US Framework for Transatlantic Data Flows have on Organizations?
Since the invalidation of the EU-US Privacy Shield in July 2020, organizations making transatlantic personal data transfers have had to adopt alternative measures to ensure adequate levels of protection. The introduction of the European Commission’s revised Standard Contractual Clauses (SCCs) left many businesses contending with the challenge of extensive contractual updates, the assessment of third countries, and the adoption of supplementary measures. Implementation of these measures has also come under scrutiny in recent months. Organizations making transfers of personal data to third countries will still need to follow the guidance that followed the Schrems II case, but a new framework would allow organizations transferring personal data to the US to breathe a sigh of relief.
Although there are few details on the specifics of any new agreement between the EU and the US on this matter, a new framework aims to bring with it more legal certainty for transatlantic data transfers, ease the administrative burden for organizations, help to promote transatlantic business and ensure that EU data subjects’ personal data is being appropriately protected.
It is worth noting that today’s announcement only stated that an agreement in principle had been reached between the EU and US. The timeframe for a concrete legal text that organizations can rely upon remains unclear but it signals light at the end of the tunnel.