On March 25, the U.S. and E.U. announced a new trans-Atlantic data transfer agreement (“Data Transfer Agreement”) to allow for the simpler and lawful transfer of E.U. personal data to locations within the U.S. Once in place, the new Data Transfer Agreement will provide U.S.-based entities with a new legal mechanism (other than cumbersome contractual clauses) to comply with the E.U.’s General Data Protection Regulation (“GDPR”).

The announcement of the new Data Transfer Agreement was short on details, and the exact measures and compliance mechanisms are unknown. Those details and mechanism will be key in understanding the possible legal longevity of the new Data Transfer Agreement, as E.U. courts have struck down similar agreements in the past.

In order to lawfully transfer data under the GDPR from a location within the E.U. to a location outside of the E.U., an entity must either (1) be sending the personal data to a country that the E.U. Commission has determined provides “adequate” safeguards equivalent to those in the E.U.; or (2) making the transfer subject to appropriate safeguards. Those safeguards can take the form of the Standard Contractual Clauses (“SCCs”), binding corporate rules, or additional contractual safeguards. The new Data Transfer Agreement will be in place to assure that transfers of personal data from the E.U. to the U.S. are subject to appropriate safeguards and comply with the second option.

Prior to July 2020, data transfers between the U.S. and E.U. were subject to Privacy Shield, which was set up between the U.S. and E.U. to ensure that the U.S. provided adequate safeguards for data transfers. Numerous entities utilized Privacy Shield in order to properly transfer personal data from locations within E.U., to locations in the U.S. without running afoul of the GDPR or E.U. Data Protection Authorities (“DPAs”). However, Privacy Shield was rejected by the E.U. courts in 2020.

Diplomats from both the E.U. and U.S. had been working for over a year on a new agreement meant to both assure that individual privacy rights and freedoms of Europeans are upheld, and to allow the free flow of the technology trade (and with it, personal data) to continue between the E.U. and the U.S. This effort represents the culmination of those negotiations, which began in the aftermath of the E.U. court’s decision to strike down Privacy Shield.

EU-US Data Flow Background

In Schrems II, the Court of Justice of the European Union famously struck down the E.U. - U.S. Privacy Shield. The main concern and issue raised by the court was that U.S. law (and Privacy Shield) did not grant sufficient protection to an individual’s privacy as compared to the GDPR. Specifically, the court was most concerned with unauthorized federal government access to personal data under the Foreign Intelligence Surveillance Act (“FISA”), and the lack of measures in place for European citizens to challenge such access or government requests.

The Court also called into question the validity of the old SCCs. The SCCs are a contractual tool that entities use to ensure that personal data shared over the course of a cross-border contractual relationship is properly protected and the rights guaranteed to European individuals are upheld.

While cumbersome, the SCCs have become a common mainstay in transactions that involve data transfer from the European Economic Area (“EEA”) to other geographical locations. To address the concerns the Court raised in Schrems II, the European Commission adopted the new SCCs, which have been in place since this past summer and required since this past fall.

The development of a new Data Transfer Agreement is immensely important for the U.S. and E.U. trans-Atlantic data flow relationship. Recently, DPAs ruled that data transfer relationships pursuant to the use of Google Analytics were unlawful under the GDPR. This underscores a recent trend of DPAs to move towards a data localization requirement under the GDPR.

The New Data Transfer Agreement

While the announcement of the new Data Transfer Agreement is short on details, it shows that both the U.S. and E.U. were conscious to craft the new Data Transfer Agreement to address the concerns raised in Schrems II.

Specifically, the Biden Administration’s announcement of the new Data Transfer Agreement stated that the U.S. will implement new safeguards related to foreign intelligence gathering to ensure such surveillance is only “necessary and proportionate.” U.S. government surveillance, under the new Data Transfer Agreement, will only be conducted “where necessary to advance legitimate national security objectives” and in ways designed not to disproportionally negatively impacting individual privacy rights.

Additionally, the announcement states that the U.S. will develop and implement new legal mechanisms by which individuals in the E.U. can seek legal recourse in the event they are subject to U.S. government surveillance.

Moving Forward

With the exponential increase in technology and software-as-a-service contracts, any U.S.-based entity that does business in the E.U. or collects, transfers, or processes E.U. personal data will need to stay tuned for the release of the new Data Transfer Agreement.

The new Data Transfer Agreement will likely be an important new tool for any and all contracts that contemplate the transfer of E.U. personal data to locations within the U.S.