During the last 20 years, the state of the law regarding personal data transfers between the U.S. and Europe has undergone many changes and evolutions. Initially, the European Commission and the U.S. Government worked together in the late 1990s to create the U.S.-EU Safe Harbor Framework, also referred to as the International Safe Harbor Privacy Principles or simply the Safe Harbor Privacy Principles (“Safe Harbor”).¹ Safe Harbor was a response to the inflation of the dot com bubble and the resulting increase of personal data being transferred to and from the EU and the U.S. From the beginning, Safe Harbor was criticized for several reasons, including concerns that the U.S. had excessive access to EU data and there was a lack of a process for EU citizens to address such concerns. As a result, the European Court of Justice found that Safe Harbor was invalid in a case known informally as Schrems I, which was handed down in October of 2015.²

Soon after, in July of 2016, the EU-U.S. Privacy Shield (“Privacy Shield”) was implemented to replace Safe Harbor.³ Privacy Shield was similarly based on the same general guiding principles; however, Privacy Shield provided more protections and rights to Europeans whose personal data was transferred to the U.S. Despite the additional rights afforded to Europeans and stricter obligations on U.S. organizations, Privacy Shield was criticized for its inability to protect Europeans’ personal data from U.S. government surveillance and for a lack of access to judicial remedies for breaches of Privacy Shield obligations. As a result, the European Court of Justice found that Privacy Shield was invalid in a case known informally as Schrems II, which was handed down in July of 2020.⁴

Following Privacy Shield’s invalidation, organizations that transfer EU personal data to the U.S. have done so primarily by using the Standard Contractual Clauses (“SCCs”) that were preapproved by the European Commission. In the Schrems II decision, the European Court of Justice upheld the validity of the SCCs as a transfer mechanism but added that data transferred under the protection of the SCCs must be done so with a level of protection that is the same as that provided by the General Data Protection Regulation and the EU Charter of Fundamental Rights.⁵

Over the last two years, the EU and U.S. have worked toward a new framework for EU-U.S. data transfers. In March 2022, President Biden and European Commission President von der Leyen announced a new Trans-Atlantic Data Privacy Framework (the “DPF”) that was to be negotiated in the coming years. On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signal Intelligence Activities⁶ that outlines how the U.S. will address one of the major downfalls of Privacy Shield, strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities. The executive order, and the steps the U.S. will take to safeguard EU personal data, will provide the European Commission with a foundation on which a new data transfer mechanism can be made.

On December 13, 2022, the European Commission issued a draft adequacy decision, kicking-off the formal process to adopt the DPF.⁷ The draft adequacy decision concludes that the DPF provides an adequate level of protection for personal data transferred from the EU to the U.S. The draft decision, however, must go through additional adoption procedures before it becomes final. As part of the procedures, the European Data Protection Board (“EDPB”) will review and issue a nonbinding opinion regarding the draft decision. The draft decision will then need approval from a committee composed of EU Member State representatives. The European Parliament also has a right to review and comment on the draft decision. Once the procedure is complete, the European Commission can adopt the final adequacy decision.

Although there is a fair way to go before the DPF is finalized and becomes a functioning data transfer mechanism, the EU and the U.S. are seeking to establish an environment that allows for international business to thrive while also protecting personal data.

Snell & Wilmer has been monitoring changes to Privacy Shield and will continue to provide updates as this topic develops.