You may recall that in 2020, the Court of Justice of the European Union (CJEU) (C- 311/18, Data Protection Commission vs. Facebook Ireland Ltd. and Maximilian Schrems) (Schrems II) invalidated the EU-US Privacy Shield, and called into question the continued viability of other mechanisms for transferring personal information such as Standard Contractual Clauses under the GDPR. The CJEU based its conclusions primarily upon findings that the Privacy Shield: (a) did not adequately prevent federal government authorities from accessing the personal information of data subjects located in the EEA, and (b) did not provide adequate remedies for those data subjects to enforce their rights. While the court did not outright strike down the Standard Contractual Clauses, it did indicate that by their inherently contractual nature, those Clauses could not bind the government to the private agreement of the parties. The Schrems II decision led to businesses having to undertake transfer impact assessments and agreeing to supplemental measures in order to make the Standard Contractual Clauses a viable mechanism for cross-borer transfers from the EEA to the US.
At the end of March the White House announced that the United States and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union when it struck down in 2020 the Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework. Under the Trans-Atlantic Data Privacy Framework, the United States has made commitments to:
- Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
The White House announcement emphasizes that this new arrangement will support the continued flow of data that underpins more than $1 trillion in cross-border commerce every year, and will enable businesses of all sizes to compete in each other’s markets. It is the culmination of more than a year of detailed negotiations between the EU and the US following the Schrems II decision. Although unclear at this point, in theory the changes the US Government is making should once again make the Standard Contractual Clauses a safe option for personal data transfers from the EEA to the US.