On 7 October, US President Joe Biden signed the executive order on the establishment of a new Trans-Atlantic Data Privacy Framework into law. The bill aims to reinstate a solid legal mechanism for transfers of EU personal data to the US. The move follows the official announcement of a new data flow agreement by European Commission’s President Ursula von der Leyen and her American counterpart in March 2022. The US law has now been forwarded to EU relevant service for scrutiny.
Under the newly introduced law, the US creates safeguards for EU citizens to seek redress if they believe their data, once shuttled to the US, mostly for commercial analytical purposes, has been unlawfully accessed by US Intelligence services. In addition to introducing new rights for data subjects, the deal is expected to create legal certainty for businesses moving data from the EU to the US and vice-versa, a Transatlantic economic relationship valued at over 7 trillion dollars per year.
The new legal Framework is the result of EU-US negotiations started in mid-2020, when the Court of Justice of the European Union (CJEU) outlawed the then in force adequacy decision for transfers of European data to the US, so-called Privacy Shield. The CJEU found that the agreement fell short of ensuring that personal information on European data subjects were protected from access by secret services in the US. More recently, numerous national Data Privacy Authorities (DPAs) throughout the EU invalidated the wide-spread Standard Contractual Clauses (SCCs), until then used as efficient supplementary protective measures, gradually leading to an overall disruption of data flows across the Atlantic.
Concretely, the Trans-Atlantic Data Privacy Framework includes far-reaching commitments from the US government to establish a new redress body for EU citizens within the U.S. Department of Justice. Potential European plaintiffs will be able to lodge complaints challenging the use of their data with a fully-fledged Data Protection Review Court, composed of independent officials empowered to issue binding remedies. Furthermore, US Intelligence agencies will have to comply with a more stringent framework when collecting data, notably by substantiating that the data harvesting aimed to address specific national security matters.
Under the lead of Commissioner for Justice, Didier Reynders, the relevant Commission’s services are currently assessing the way forward to translating this arrangement into a revamped EU adequacy decision, of which the first draft may be expected after 4 to 6 weeks. The procedure shall include all concerned parties, such as national DPAs as well as EU Member States, and is expected to take up to six months. According to this timeline, a new EU-US data pact should be operative by March 2023.
Ecommerce Europe has been closely following the developments with regards to an updated EU-US Data Privacy Framework and has already called, together with other stakeholders, on the EU institutions to timely start technical negotiations on a new EU-US framework for data flows. You can (re)read our joint statement here.