U.S., EU to Address International Data Transfers Privacy

April 12, 2022

  • The U.S. and European Union (EU) have reached a preliminary agreement to allow the transfer of Europeans’ personal data to the U.S.
  • This deal may help organizations facing legal challenges avoid regulatory enforcement and regain stability in terms of their data transfer operations.
  • Organizations planning on transferring personal data from the EU to the U.S. should continue to evaluate their data transfers on a case-by-case basis.
  • Affected organizations should also continue to consult the European Data Protection Board’s six-step roadmap to assist in the assessment of transfers and application of measures that can be taken to safeguard the transfer of personal data.

 


 

On Friday, March 25, President Biden and European Commission President Ursula von der Leyen announced that the U.S. and European Union reached a preliminary agreement to allow the transfer of Europeans’ personal data from the EU to the U.S.

 

This new deal, titled the Trans-Atlantic Data Privacy Framework, reestablishes a legal mechanism for transfers of EU personal data to the U.S. Included in this deal are commitments from the U.S. to address EU privacy concerns and adequately protect transferred data:

 

  • The U.S. commits to implement new safeguards to ensure signals intelligence activities are necessary and proportionate.
  • The U.S. will establish a mechanism where EU individuals who feel unlawfully targeted by signals intelligence activities may seek redress through an appeal process.
  • U.S. intelligence agencies conduct oversight of new privacy and civil liberties standards.

 

Going forward, the U.S. government and the European Commission will draft the appropriate legal documents that will be adopted to enact the Trans-Atlantic Data Privacy Framework.

 

 

Why Does This Matter?

In response to the revelations about U.S. government data practices from former U.S. National Security Agency contractor Edward Snowden, Max Schrems, a privacy advocate and activist, filed a complaint in 2013. These complaints led to a review by the Court of Justice of the European Union (CJEU).

 

In 2015, the CJEU invalidated Safe Harbor, a previous data transfer agreement between the EU and the U.S. Later in 2020, the CJEU also invalidated Privacy Shield, which was a follow-up attempt to remediate data protection issues related to Safe Harbor. The CJEU found that the protection of personal data had limitations due to domestic law in the U.S. as well as the access and use by U.S. public authorities.

 

Since the CJEU threw out the two previous data-transfer pacts, organizations that rely upon data transfers have been facing legal and operational uncertainty. In recent months, European data protection agencies have issued orders against the flow of personal data passing through products such as Google Analytics, Stripe and others.

 

Facebook’s parent company, Meta, has faced legal scrutiny regarding its international data transfers, with the matter going so far as the Irish Data Protection Commission (DPC), which sent a preliminary order in September 2020 requesting the suspension of EU to U.S. data transfers. It received a “revised” decision in February 2021, with Meta having the opportunity to provide additional information prior the DPC arriving at a final decision.

 

What Comes Next?
Eventually, this new agreement will face legal challenges to test how robust the agreement is in terms of adequately protecting EU citizens’ rights when their personal data is transferred to the U.S.

 

Max Schrems, who was instrumental in striking down the previous data transfer agreements (i.e., Safe Harbor and Privacy Shield), has already indicated that, when available, he and his privacy advocacy group will review the final text of the agreement with their legal experts to determine whether additional legal challenges are warranted.

 

How to Proceed?
Prior to the finalization of the Trans-Atlantic Data Privacy Framework, organizations that plan on transferring personal data from the EU to the U.S. should continue to evaluate their data transfers on a case-by-case basis.

 

During this process, either through a data transfer impact assessment or a privacy impact assessment, relevant stakeholders should identify potential transfers of personal data from the EU to the U.S., gather context related to the transfer, consult with inhouse and outside counsel as necessary, and evaluate whether adequate protections are applied to the data during transfer.

 

As a part of this assessment, organizations should continue to consult the European Data Protection Board’s six-step roadmap to assist in the assessment of transfers and application of measures that can be taken to safeguard the transfer of personal data.

 

If you have questions about this new accord and how it might affect your organization, please drop us a line.

Spencer Kindt
Senior Manager, Data Governance, Privacy and Protection | Optiv
Spencer specializes in helping organizations design, implement, optimize, assess and operate privacy and data governance programs. He ensures organizations properly handle high-risk data while unlocking the high value associated with it. He also has experience helping clients prepare for and address privacy regulations (e.g., GDPR, CCPA, CPRA, LGPD, HIPAA). Spencer has experience providing customized services to organizations ranging from the global Fortune 500 to smaller, privately-owned organizations across a variety of industries.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights

Image
compliance

 

Cybersecurity Compliance Services

 

Optiv's Cybersecurity compliance services including, PCI DSS, HITRUST, NIST CSF and ISO 27001, can help you navigate the complex, ever-changing security compliance arena. Learn more today!

Image
RISK_NIST-Data-Privacy-Framework_Blog_list_476x210

 

NIST Privacy Framework a Flexible Tool for Managing Privacy Risks

 

NIST’s Privacy through Enterprise Risk Management helps organizations improve privacy practices.

Image
data-privacy-list-image

 

Why does Data Privacy Matter?

 

When organizations build trust and respect the right to privacy, people are ultimately more likely to continue a business relationship.