After years of negotiations following the Court of Justice of the European Union’s (CJEU) disapproval of the Privacy Shield framework as providing adequate safeguards for the transfer of personal data from the European Union to the United States in the Schrems II decision, the European Commission has approved a new EU-U.S. Data Privacy Framework as being adequate, effective July 11th.
The new Framework builds upon many of the same principles that underpinned Privacy Shield such as transparency about data processing, mechanisms for data subject inquiries, and offering data subjects choice about certain data processing activities. It also attempts to remedy the concerns raised by the CJEU in Schrems II about the collection and use of personal data by the U.S. national security apparatus by creating a new Data Protection Review Court that will have authority to order certain remedies related to national security collection and use. However, this new “court” has been subject to criticism because, despite its name, it is not actually a court within the judicial branch of government, but rather an administrative body within the executive branch, raising concerns that it may not truly be able to exercise independent judgment.
The adequacy of the Data Protection Review Court and the Framework as a whole is likely to be subject to legal challenges. Max Schrems, Honorary Chairman of advocacy group NOYB and named plaintiff in the Schrems II decision, has already indicated that he considers the Framework insufficient to resolve the CJEU’s concerns and NOYB will appeal it. Unless enjoined by a court, the Framework will remain in effect pending legal challenges.
Businesses engaging in EU-U.S. data flows should strongly consider participation in the Framework as a means of ensuring adequate safeguards for such transfers under GDPR. This also includes companies that have been reliant upon the Standard Contractual Clauses which the European Data Protection Board (EDPB) has highlighted as potentially being insufficient unless paired with additional safeguards because of U.S. national security concerns. Over the coming weeks the EDPB will likely publish additional guidance for operationalizing the Framework. We stand ready to assist clients who would like to participate in the Framework and improve their GDPR compliance strategy.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.