The President just signed an executive order on government surveillance that should pave the way to an operable trans-Atlantic data transfer deal with the European Union (EU) by spring 2023.
The prior deal, the U.S.-EU Privacy Shield, was struck down by a European court in March 2020 in the Schrems II case.
Insights and analytics companies that retained their self-certification, like through the Insights Association’s Privacy Shield program, should be able to transition quickly to the new data framework once it comes to fruition. The IA Privacy Shield Program is a benefit exclusive to company members and corporate research department members, since IA serves as an Independent Recourse Mechanism (IRM), a required component of the program.
The White House’s October 7, 2022 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities directs “steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Biden and European Commission President von der Leyen in March of 2022.” It aims to "restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law."
Welcoming “significant improvements compared to the Privacy Shield,” the European Commission announced it would move to adopt an "adequacy decision" under the EU General Data Protection Regulation (GDPR) for the framework. As the Commission explained:
“The adoption procedure for an adequacy decision consists of different steps: obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Only after that, the European Commission can adopt the final adequacy decision in relation to the US. From that moment on, data will be able to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework. US companies will be able to join the framework by committing to comply with a detailed set of privacy obligations.”
IAPP also shared an infographic in March mapping the process.
Nothing is yet set in stone, of course. Privacy Shield was struck down by the courts several years after the preceding Safe Harbor was similarly invalidated. As soon as the Biden Administration's executive order was announced, a leading EU activist group warned it was “likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic.” Such activist groups probably are already preparing their new opposition briefs for court.
However, the Insights Association remains optimistic.
"IA members who have maintained their U.S. Privacy Shield enrollment throughout the last few chaotic years are looking forward to resolving the critical U.S.-EU concerns that invalidated the framework in 2020," commented Juliana Wood, IA Director of Certifications.
IA company and department members interested in Privacy Shield and the new EU-U.S. Data Privacy Framework should contact Juliana Wood.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.