July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

The U.S. and EU Announce an “Agreement in Principle” to Replace the EU-U.S. Privacy Shield Framework: What Employers Need to Know

On March 25, 2022, the European Union (EU) announced that the United States and the EU had reached an agreement in principle to replace the EU-U.S Privacy Shield framework, which the European Court of Justice (CJEU) struck down in its July 2020 Schrems II decision. Since the Schrems II decision, U.S. and EU negotiators have been hammering out a workable data transfer mechanism to permit the transfer of EU data to the United States.

What does the agreement provide?

The White House and European Commission each issued fact sheets that outline some of the details of the new agreement.  The new data transfer framework will be called the “Trans-Atlantic Data Privacy Framework” (TADPF) and will address the concerns raised by the CJEU in the Schrems II decision regarding the expansive data collection activities of U.S. intelligence agencies and the lack of judicial remedies under U.S. laws for EU data subjects whose data is collected by these agencies. Specifically, the TADPF will ensure that:

  • Binding safeguards will be in place to limit access to data by U.S. intelligence agencies to what is necessary and proportionate to protect legitimate national security objectives and will not disproportionately impact the protection of individual privacy and civil liberties;

  • EU individuals will be able to seek redress for any improper collection of data by U.S. intelligence agencies from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that will consist of individuals chosen from outside the U.S. government who will have full authority to adjudicate claims and direct remedial measures as needed; and

  • U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

Companies and organizations that implement the TADPF will be required to comply with many of the Privacy Shield principles, including the requirement to self-certify their compliance through the U.S. Department of Commerce. Additionally, like under the Privacy Shield, EU individuals will continue to have access to multiple avenues of recourse to resolve complaints against participating TADPF organizations, including through alternative dispute resolution and binding arbitration.

What are the next steps for the new framework?

The U.S. government and the European Commission will translate this agreement into legal documents that will need to be adopted on both sides to implement the TADPF. The United States will document its commitments in an executive order that will form the basis of the European Commission’s assessment in its future adequacy decision.

Thereafter, the European Commission must follow a multi-step process for issuing the adequacy decision for the new framework. First, the EU Commission must draft a written proposal for the adequacy decision. Second, the European Data Protection Board (EDPB) must review and issue an opinion regarding the proposal. Third, representatives of the EU countries must approve the proposal.  Fourth and finally, the European Commission must formally issue an adequacy decision finding that the new framework provides protections for EU data that are essentially equivalent to those provided under EU law, i.e., the EU General Data Protection Regulation (GDPR).

This multi-step process will take time. For example, the process for issuing the adequacy decision for the Privacy Shield framework took six months from the European Commission’s proposal in February 2016 to the adoption the adequacy decision in August 2016.

Will the new framework be upheld by the CJEU?

This is the key question. The CJEU has twice invalidated data transfer mechanisms between the EU and United States, the EU-U.S. Safe Harbor Framework in 2015 (the Schrems I decision) and the Privacy Shield in Schrems II, because of concerns regarding the collection activities of U.S. intelligence agencies and the lack of legal remedies for EU data subjects. Austrian privacy activist, Max Schrems who initiated the legal cases that resulted in both the Schrems I and Schrems II decisions, has already indicated that he will challenge the TADPF.

One thorny legal issue will be whether EU data subjects have an effective legal mechanism to challenge the U.S. government’s collection of their data under the TADPF. Currently, the ability of an EU data subject to obtain judicial redress against the U.S. government regarding its surveillance activities is severely restricted because U.S. surveillance activities are highly secret and EU data subjects must overcome the formidable obstacle of showing they have standing to sue the U.S. government because they have been harmed by these secretive practices.

What do employers need to know?

The key takeaways for EU companies and U.S. companies with employees in the EU are:

  • There is no indication that EU regulators will grant a grace period from enforcement activities while the European Commission undertakes its adequacy decision process to finalize the TADPF. Thus, employers are still required to comply with current EU data transfer requirements by using EU standard contract clauses (SCCs), binding corporate rules (BCRs), or the derogations under the GDPR to transfer EU human resources data to the United States until the TADPF is operational. Employers using SCCs or BCRs  must also conduct a transfer impact assessment (TIA) to analyze whether EU human resources data can be safely transferred under current U.S. surveillance laws and whether supplementary technical, contractual or organizational measures must be implemented to adequately protect the transferred data.

  • Once the TADPF becomes effective, it will apply only to data transfers from EU/EEA countries to the United States. Data transfers from the UK and Switzerland, which previously recognized the Privacy Shield for transfer of data to the United States, will still need to comply with the UK International Data Transfer Agreement (IDTA) and its version of the TIA, the Transfer Risk Assessment (TRA), or the UK addendum to the SCCs, and the TIA for UK data transfers; and the Swiss addendum to the SCCs and the TIA for Swiss data transfers. Given the expected legal challenges to the TADPF, it is unclear whether the UK or Switzerland will adopt the TADPF to permit data transfers to the United States from their respective countries.

  • Similarly, it is unclear at this point whether the TADPF can or will cover onward transfers of human resources data to other third countries like India, such as situations in which a U.S. parent company receives a transfer of human resources data from its EU subsidiary and then transfers this EU data to a payroll company or other vendor in India. Thus, employers may still need to use SCCs and conduct a TIA for such onward transfers.

  • Finally, even after the TADPF is operational, employers using the TADPG may wish to continue using the technical, contractual, and organizational supplementary measures under their current SCCs or BCRs in the event that the TADPF is invalidated by a Schrems III decision, which, like the Schrems II decision, may fail to provide a grace period to find an alternate legal transfer mechanism.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume XII, Number 90
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Simon McMenemy, Labor Employment, Managing Partner, New York, OgleTree Deakins law firm
Managing Partner

Simon is an experienced employment law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits. Simon advises on the increasingly complex issues arising on data privacy and data protection in the workplace and is...

44 (0)20 7822 7620
Grant Petersen, Labor, Employment, Ogletree Deakins
Shareholder

Mr. Petersen represents and counsels employers regarding a broad range of U.S. and international labor and employment law issues, Foreign Corrupt Practices Act and other anti-corruption law issues, and data privacy and data protection law issues. He represents clients in a wide variety of industries, including manufacturing, service, healthcare, financial, retail, and food processing, as well as multinational companies and trade associations.

813-221-7231
Associate

Salvatore specializes in data protection and privacy law. He supports clients across the world with their regulatory data privacy compliance. He works with partners and associates across Ogletree Deakins’ international network to advise clients on the impact of global data privacy laws, the complexities of international transfers, and the practical steps for compliance solutions to the myriad data protection laws. He also writes a personal blog on data privacy and technology, which features regular data protection, privacy and security legal updates to help his readers...

44(0) 207 822 7632
Advertisement
Advertisement
Advertisement