The newly released White House executive order implementing the long-awaited EU-U.S. Data Privacy Framework clears a path for trans-Atlantic business and diplomacy alike. Since the Court of Justice of the EU’s “Schrems II” decision invalidated Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable. Some might argue, data transfers were effectively banned.
Enforcement actions have only trickled out, but their precedential and deterrent impact has been significant. That caused havoc for major U.S. technology firms under the microscope in Europe, but led mainly to head-spinning confusion, higher legal costs and a more limited selection of service providers for smaller firms. Friday’s executive order and Department of Justice regulations change that context, providing protections aimed at rebuilding trust and trade across the Atlantic.
Here’s an initial look at what these new rules say, how they work and what comes next as the adequacy review process proceeds.
What’s in a name?
You are excused if you were confused by the name of this new framework. When U.S. and EU leaders reached an agreement in principle in March on a new accord to address the CJEU’s concerns with Privacy Shield, they called it the “Trans-Atlantic Data Privacy Framework.” Officials made clear at the time the name covered only protections in the national security sphere, which were separate from the commercial Privacy Shield Principles.
This new name covers the full accord, including the protections and newly created redress mechanism governing U.S. signals intelligence activities and the commercial principles to which U.S. companies can self-certify.
The substance and structure
The new DPF includes three components: commercial data protection principles to which U.S. organizations may self-certify, a presidential executive order and DOJ regulations.
The commercial piece
Since the CJEU did not call into question Privacy Shield’s commercial principles, most stakeholders thought these would go untouched. While U.S. authorities noted the changes, which are still being finalized, should not significantly affect existing Privacy Shield participants’ substantive obligations, they are important.
And since the Privacy Shield Principles were negotiated while the EU General Data Protection Regulation was being finalized, they reflected its substantive provisions, but still referenced the 1995 EU Data Protection Directive. U.S. authorities indicated the new DPF will update all references in the commercial principles to refer to the GDPR directly.
Privacy Shield participants should stay tuned for further updates and guidance from the U.S. Department of Commerce on how to reflect these changes in privacy policies and their self-certification down the line.
Organizations should note this changes the definition of personal data under the commercial principles, which will link to that of the GDPR rather than the Directive. Privacy Shield participants should stay tuned for further updates and guidance from the U.S. Department of Commerce on how to reflect these changes in privacy policies and their self-certification down the line.
The national security pieces
Taken together, the executive order and DOJ regulations aim to address the two failings the CJEU cited in invalidating the Privacy Shield: lack of necessity and proportionality limits on U.S. surveillance programs and insufficient redress rights to challenge unlawful government surveillance. Both the substance and legal structure of these components matter under the CJEU’s essential equivalence test.
Necessity and proportionality under the executive order
The executive order requires…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
