The United States and the European Union have taken a major political step forward in creating a future for a more free flow of personal data between the two jurisdictions. On March 25, 2022, European Commission President Ursula von der Leyen and U.S. President Joe Biden held a joint press conference announcing that they had found an “agreement in principle,” referred to as the Trans-Atlantic Data Privacy Framework. Von der Leyen announced that the agreement would “enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties.” Of course, the question remains–what does this agreement in principle amount to, and, once a full-fledged version is passed, will the European regulators and Court of Justice agree that it provides sufficient protection?
Because that is how we got here in the first place. Here’s a brief timeline review of some of the key data transfer agreements and restrictions between the US and the EU:
- The Safe Harbor Agreement of 2000 allowed US companies and organizations to meet EU data protection requirements and permitted the legal transfer of personal data between EU member states and the United States.
- In 2013, unauthorized disclosures of US National Security Agency surveillance programs and other allegations regarding US intelligence activities in Europe led to scrutiny of cross-border data flows.
- Concerns were raised regarding both how US technology firms used the personal data and the extent to which the US government might have access to the data.
- The European Court of Justice invalidated the Safe Harbor Agreement in October 2015.
- On February 2, 2016, an agreement “in principle” was announced. This replacement for Safe Harbor was known as Privacy Shield. The official text of Privacy Shield was released later that month, and it went into effect in July 2016.
- The European Court of Justice invalidated Privacy Shield in July 2020 in a case known as Schrems II.
Following the invalidation of Privacy Shield, essentially all transfers of personal data from the EU to the US relied on the EU’s Standard Contractual Clauses. However, Schrems II not only invalidated Privacy Shield, it also called into question the efficacy of the SCCs. As a result, the European Commission adopted new SCCs and the European Data Protection Board (EDPB) issued guidance on how to supplement the SCCs through actions such as completing transfer impact assessments.
What does all of this mean for companies that wish to transfer data from the EU to the US? Essentially, it means that they have to undergo a fairly intensive process that involves intensified SCCs as well as additional steps to ensure that the SCCs are being upheld and that the recipient is doing everything possible to protect that data from US government intrusion once it arrives in the US. Simply signing the SCCs is no longer sufficient to be considered GDPR-compliant.
The new “agreement in principle” between the EU and the US will, according to the Fact Sheet released by the White House, included “unprecedented commitments” by the United States to:
- Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
These Framework principles signal progress on the two main issues that Schrems II found with the transatlantic data flows: (1) insufficient redress mechanisms for EU citizens in the US if their privacy rights were violated and (2) the United States’ ability to meet the European Court of Justice’s necessity and proportionality standards when it comes to government access to data. Experts still expect it will be some time before we see the actual text of any agreement, and there are already indications from NYOB (the EU nonprofit headed by Maximilian Schrems, the privacy advocate who challenged the previous US–EU privacy frameworks) that it anticipates it or another organization will take the new agreement back to court within months from its publication because they find it unlikely that a “purely political” agreement can solve the underlying incompatibility between the jurisdictions’ laws.
Political leaders are much more positive, heralding the announcement as a huge step forward in easing the process for transatlantic data flows. President Biden stated, “This framework underscores our shared commitment to privacy, data protection, and the rule of law. And it’s going to allow the European Commission to once again authorize trans-Atlantic data flows that facilitate $7.3 trillion in economic relationships with the EU.” President von der Leyden focused on European concerns regarding trusting the US to properly protect data, stating, “This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties.
While we wait for the new agreement to be fully hashed out and published, some commentators have suggested that the European regulators may ease enforcement actions concerning transatlantic data flows because that is what happened when the Privacy Shield “agreement in principle” was announced. However, there were only a few weeks between the announcement of the Privacy Shield agreement and the official release of the text of that agreement, which meant that regulators knew what the changes would look like.
We are anticipating a longer turnaround time for the text of this new Framework. Companies should continue to ensure that they are not only entering into the new SCCs for their international data transfers, but that they are monitoring those transfers for compliance and that they are conducting Transfer Impact Assessments to ensure that they are taking any necessary supplementary measures to protect the data they are transferring from the EU to the US.
SixFifty Solutions
SixFifty’s privacy toolsets allow companies to create contracts, policies, and documents to comply with privacy laws around the world. Our team of lawyers always have their eyes on privacy developments, and regularly update our toolsets to adapt to changes in the law in real time.
Curious? Schedule a personalized demo with SixFifty today!
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth