?The United States and the European Commission (EC) have agreed in principle to a new protocol—the Trans-Atlantic Data Privacy Framework—that would make it easier for companies to transfer personal information, including employee details, from European Union (EU) nations to the U.S.
The new framework, announced in March, seeks to address privacy concerns that the EU’s Court of Justice cited in 2020 when it invalidated an earlier protocol, the Privacy Shield Framework. Legal experts expect privacy activists to challenge the new agreement, as they successfully did with the Privacy Shield and an earlier framework.
The Trans-Atlantic Data Privacy Framework aims to put in place better privacy protections to limit U.S. intelligence activities involving EU residents’ personal data and would allow EU residents to seek redress through an independent Data Protection Review Court.
The EC cited several key principles comprising the new framework, noting that:
- Data will be able to flow freely and safely between the EU and participating American companies.
- New rules and binding safeguards would limit U.S. intelligence authorities’ access only to data that is “necessary and proportionate” to protect national security, and intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
- A new independent, two-tier redress system, including the Data Protection Review Court, would investigate European residents’ complaints about U.S. intelligence authorities’ access to their personal data.
- Specific monitoring and review mechanisms will be put in place.
Streamlining Data Management
The Trans-Atlantic Data Privacy Framework must go through various regulatory steps before it becomes effective and available to multinational companies.
The EU Court of Justice’s decision to invalidate the Privacy Shield Framework in 2020 “left a gap in safeguards available for exports of personal data to the USA, which the Trans-Atlantic Data Privacy Framework is seeking to fill,” said Katie Hewson, a partner specializing in United Kingdom (U.K.) and EU data protection and privacy law with Stephenson Harwood in London.
Under the EU’s General Data Protection Regulation, safeguards must be in place to ensure that any personal data exported to other countries is protected to equivalent EU standards, Hewson noted.
Before it was invalidated, the Privacy Shield Framework “streamlined and facilitated U.S. data exports,” meaning that no additional documentation was needed to send personal data to participating U.S. companies, said Hewson. The Privacy Shield itself replaced an earlier safeguard, the U.S.-EU Safe Harbor Framework, that the court invalidated in 2015.
The details announced suggest that the new framework will work in a similar way by facilitating personal data exports to U.S. organizations that self-certify their adherence to its principles through the U.S. Department of Commerce, according to Hewson.
The personal data could include employee names, contact information, performance evaluations, staff identification, and salary and benefits details that a global company might send to a U.S. office, she said. Post-Brexit, the U.K. isn’t part of the discussions and is conducting its own data-transfer privacy negotiations with the U.S., she noted.
When the EU court invalidated the Privacy Shield, more than 5,000 companies had self-certified as adherent to that framework, indicating they satisfied the “adequacy requirements” of the EU’s General Data Protection Regulation, according to Philip Gordon, an attorney with Littler in Denver.
Without the Privacy Shield, multinational companies have relied mostly on standard contractual clauses, or SCCs, for international data transfers, but these are more complicated, time-consuming and onerous to implement, according to legal experts, who consider the new framework a significant step for companies.
The SCC agreements require parties to assess the laws of destination countries to ensure intelligence agencies are not allowed access to data in a way that would interfere with a company’s ability to provide an EU-like level of protection for the imported data, Gordon explained.
Several Steps Before Official
“Unless and until the framework is approved and in effect, organizations cannot rely on it to safeguard their data exports to the USA. Therefore, for now, U.S. and EU organizations will need to continue to work together to put in place alternative safeguards and to carry out transfer impact assessments on their EU-U.S. data exports,” Hewson said.
Every U.S. multinational with an EU presence needs to transfer employee data “so they can manage their workforce globally, so the implications are huge,” Gordon said. The new framework would provide a “smoother, easier data transfer mechanism” for multinational employers; that’s why so many had signed up for the previous privacy shield, he said.
U.S. and EU negotiators have said informally they aim to put the framework into effect by year-end, Hewson noted. Gordon, however, expects it to take at least a year before companies will be able to take advantage of it.
Most companies seem excited about the proposed framework, although the excitement is tempered with concern, Witt said. “They’re hoping that it will make data transfers more streamlined and less time-consuming” without violating European citizens’ rights, she said.
Concerns include the possibility that a future U.S. president could reverse executive orders related to the agreement and that activists will challenge this framework, as well.
“The big question is whether it will be invalidated in a couple of years by the Court of Justice of the European Union,” said Witt, who suggested companies take a “belt and suspenders approach” by using both the SCCs and certifying to the new data framework.
Gordon expected authorities to be extremely careful before publishing a final framework to help protect the protocols from likely litigation.
“It would be disastrous to have the next iteration of the Privacy Shield invalidated,” he said.
Dinah Wisenberg Brin is a freelance reporter and writer based in Philadelphia.