EU - US Data Protection Agreement Imminent

Mutual Agreements Nearing Ratification Following US Greenlight

| Published on 24 Aug 2022

EU-US Data Protection Agreement Imminent img

Privacy Law Developments

On Friday 25 March 2022, a deal was reached between the US and the European Commission in order to replace the former Privacy Shield framework governing data transfers from the European Economic Area to the US. 

This agreement will provide a new ‘Trans-Atlantic Data Privacy Framework’ which will foster transatlantic data flows as well as address the concerns which were raised by the Court of Justice of the European Union in the ‘Schrems II’ decision (decided on the 16th of July 2020). 

History of Data Privacy Shield 

The famous ‘Schrems II’ case originated from privacy activist Maximilian Schrems’s call for the Irish Data Protection Commissioner to invalidate the Standard Constractual Clauses ('SCCs') for Facebook’s use of transferring personal data to its headquarters in the US. It was argued in this case that personal data which is transmitted and stored in the US could be easily accessed by the US intelligence agencies. In this case, Mr. Schrems argued that this was in violation of the GDPR and, more broadly, EU law. According to GDPR rules, transfers outside of the EU and EEA are prohibited unless a sufficient safeguard can be guaranteed. 

The court in this case struck down the former Privacy Shield data transfer framework between the US and EU in 2020 due to the potential risk of mandatory production of data under Foreign Intelligence Surveillance Act of 1978 (also known as ‘FISA’).

Proposed Privacy Shield Revival

In this new and forthcoming transatlantic agreement, the US undertook the implementation of the following measures:

-  New safeguards to ensure that signals surveillance activities are obligatory and proportionate in the pursuit of defined national security objectives.

- Establish a two-level independent redress mechanism with binding authority to direct remedial measures.

- Strengthen the signals of intelligence activities in order to ensure compliance with limitations on surveillance. 

EU-US ‘Privacy Shield’ 2.0: The Challenges and Objectives which Lie Ahead 

The main impetus behind these new privacy law measures is to address the concerns regarding the potential risk that personal data which is transferred to the US could potentially be subject to mandatory production to the US government under the FISA. These concerns have been at the front line of EU privacy law for quite some time and were the cornerstone of recent decisions made by the Court of Justice of the EU.

The main test in question will be whether the new safeguards proposed by the US are adequate enough to mitigate the risk of possible mandatory production under the FISA as well as to simultaneously alleviate such concerns within the EU. After the EU court struck down the former Privacy Shield framework in the ‘Schrems II’ case, organizations were left to determine for themselves ways by which to lawfully facilitate transatlantic data transfers; most organizations in fact resorted to utilising SCCs in order to safeguard data and duly comply with the corresponding GDPR safeguards and pre-requisites concerning data transfers out of the EU or EEA.

This new EU-US framework therefore marks an unprecedented commitment and move on the part of the US to implement reforms that will strengthen the privacy and civil liberties protections in respect to potential US signal intelligence activities, and to ultimately reconcile a trade-gap left amongst these two major global diplomatic powers, due to data protection and privacy concerns.

Following the recent US greenlight on this framework, it is certainly a big step in the direction of ratification of this transatlantic data protection agreement, the countdown until bilateral ratification has begun.

What This Means for You

For businesses, the existence of a revived Privacy Shield streamlines compliance with data protection laws when engaging with EU-US personal data exchange. For consumers, the Privacy Shield serves as a standard of data protection for the personal data, for protecting individuals against the misuse and unlawful collection and processing of personal data.

This framework will facilitate further the EU-US cooperation including through the trade and technology council and through multilateral fora, for instance the Organization for Economic Cooperation and Development, or ‘OECD’, on digital policies. 

This arrangement would naturally need to be translated into legal instruments in order for it to be effectives and binding in respect of both ends of the table – i.e, to put in place this new termed ‘Trans-Atlantic Data Privacy Framework’. 

Despite this new agreement however, it remains to be seen as to whether the EU and US can put aside their differences in order to foster an enforceable transatlantic regulatory data transfer regime outside of the EU or EEA.

Through the advancement of cross-border data flows, this new framework will promote an inclusive digital economy whereby all people can participate and in which all companies of all shapes and sizes from all over the world can thrive. 

How We can Help

Chetcuti Cauchi Advocates is at the forefront of legal developments in innovative technologies and our lawyers cover even less conventional legal domains of practice. Our value stems not only from our acumen in legal niches across the board but also in our ability to translate the various tech-legal implications into an effective throughput for the client’s overall best interests and business prowess.



Our GDPR Services

Whilst we are aptly cognisant of the current legal status quo in the areas of both Privacy and Data Protection Law, we are always monitoring current legal affairs to ready ourselves for the legal introduction of new innovative tech-legal developments.

This anticipated Privacy Shield 2.0 is no exception – once the bilateral agreement talks reach mutual ground, we will be ready to legally advise on how you can benefit or even capitalise in business terms, from the introduction of the new EU-US Data Protection framework.

Request More Information

Please send me legal and other updates

Key Contacts

Dr Charlene Mifsud

Partner, Corporate & Commercial

+356 2205 6298

Related Practice Groups