Privacy Shield was annulled but it is being updated. Once finalised, it will reduce the need to use the EU Commission’s standard contractual clauses for data transfers (which have also been updated for GDPR).

The Court of Justice of the EU annulled the EU-US Privacy Shield in the Schrems II case in July 2020. This was because the US did not provide an “essentially equivalent” level of data protection to that found in the EU. This was partially due to the sweeping surveillance powers of US law enforcement agencies.

Now the EU and US have negotiated a new arrangement with details in factsheets published by both sides (EU factsheet, US factsheet). Under the new Trans-Atlantic Data Privacy Framework, the USA will:

• strengthen the privacy and civil liberties safeguards governing US signals intelligence activities

• establish a new redress mechanism with independent and binding authority

• enhance its existing rigorous and layered oversight of signals intelligence activities

What does this mean?

The legal detail is still to be worked out but, once it is, personal data may once again flow freely between the EU and companies in the USA. US companies participating in the scheme will need to self-certify their adherence just as they did under the Privacy Shield. But we can expect this to be tested before the courts again. Schrems III anyone?

Furthermore, since Brexit means the UK is outside this data transfer regime while still adhering to GDPR standards, so we can expect the ICO to mimic this arrangement like it has with its own IDTA.

If you need advice, contact me f.jennings@teacherstern.com or +44 (0) 20 7611 2338.