United States and EU Come to Agreement in Principle for New Data Transfer Pact

The full alert is Available for download with footnotes here.

On Friday, March 25, 2022, in a joint news conference in Brussels, European Commission President Ursula von der Leyen and United States President Joe Biden announced that the EU and the United States had reached an “agreement in principle” for the creation of a new trans-Atlantic data transfer framework.

The agreement will be the third attempt at creating a lasting framework for the trans-Atlantic transfer of data. The first, the International Safe Harbor Privacy Principles, was struck down on October 6, 2015 by the European Court of Justice (ECJ). The ECJ invalidated the Safe Harbor Principles based on concerns of government surveillance in the United States.

In response, the EU and United States established the Privacy Shield to replace the Safe Harbor Principles. However, that framework was similarly invalidated in a challenge by an E.U. citizen to Facebook’s transfer of personal data to the United States. The E.U. citizen argued that the Privacy Shield offered insufficient safeguards against surveillance by the United States intelligence community. The ECJ agreed, highlighting the broad scope of permissible surveillance under the United States national security laws. That surveillance, in the eyes of the court, permitted use of E.U. citizens’ personal data in contravention of EU law. Further, the court noted that the Privacy Shield failed to provide effective judicial oversight against such interferences.

The new agreement has not yet been codified into a legal document, and the specifics of the agreement are still unclear. The European Commission has, however, outlined the key principles that will eventually be codified in the final legal document. Those key principles are:

• the free and safe flow of data between the “between the EU and participating U.S. companies;”
• “necessary and proportionate” new safeguards limiting “access to data by U.S. intelligence authorities;” and new procedures for U.S. intelligence agencies . . . to ensure effective oversight of new privacy and civil liberties standards;”
• a “new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court;”
• “[s]trong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce;” and
• “[s]pecific monitoring and review mechanisms.”

With an agreement in principle in place, the two sides will now work on the details of the agreement and its subsequent codification into formal legal texts. The agreement hopes to finally provide a lasting framework for the trans-Atlantic transfer of data, ensuring adequate protection for E.U. citizens while also providing businesses with clear and streamlined rules.

Attorney advertising. The material contained in this Client Alert is only a general review of the subjects covered and does not constitute legal advice. No legal or business decision should be based on its contents.