On March 25, 2022, the EU Commission and US announced that an agreement in principle on a new framework for transatlantic data flows had been reached (see the Commission’s statement here, here, and here, and the US White House’s statement here).  The Commission and the U.S. published draft factsheets outlining the agreement (see the Commission’s factsheet here and the U.S. factsheet here).  This agreement will form the basis for an adequacy decision in the EU and an executive order in the US, which both parties will draft as a next step.

Today’s announcement follows lengthy negotiations that began shortly after the Court of Justice of the EU’s (“CJEU”) Schrems II judgment on July 16, 2020, which annulled the EU-US Privacy Shield (see our blog post here).  There, the CJEU held that the US did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to US law enforcement and intelligence agencies to access data and an absence of effective legal remedies for EU residents.

According to the published factsheets, the US has made “unprecedented commitments” that build on the safeguards that were in place under the annulled Privacy Shield framework with the aim of addressing issues identified in the Schrems II decision.  The new framework will:

  • strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities through binding safeguards limiting U.S. intelligence authorities’ access to data to what is necessary and proportionate to protect U.S. national security;
  • establish a new, multi-layered redress mechanism with independent and binding authority composed of individuals chosen from outside the U.S. Government who will have full authority to investigate and adjudicate claims, as well as impose remedial measures, as needed; and
  • enhance the U.S.’ existing rigorous and layered oversight of signals intelligence activities.

Just as with the annulled Privacy Shield, U.S. companies will need to self-certify their adherence to the Privacy Shield 2.0 once it is released.

This is undoubtedly good news for industry, as such a framework will offer industry another option when transferring personal data from the EU, alongside EU contractual clauses and other means.  However, any new framework is certain to be pressure-tested before the EU courts, and at least one privacy advocacy group has, issued a statement challenging the legality of the agreement (see NOYB statement here).

The Covington team will keep monitoring any developments on the Privacy Shield 2.0 and continue to report on them on our blog Inside Privacy.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de Meneses
Show more Show less