- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
On March 25, 2022, the United States and the European Union announced they agreed in principle to a new data privacy framework for cross-border data transfers. Although specific details of this new data privacy framework have not yet been provided, the new framework is meant to replace the former EU-U.S. Privacy Shield (the “Privacy Shield”), an arrangement that allowed companies to transfer the personal data of European data subjects to the United States. The Privacy Shield was invalidated in July of 2020 by the Court of Justice of the European Union on the basis that the Privacy Shield did not protect European data from U.S. surveillance.
The introduction of the new data privacy framework was announced in a joint press conference between United States President Joe Biden and European Commission President Ursula von der Leyen during President Biden’s recent trip to Europe. The parties “reached another major breakthrough in transatlantic data flows” stated President Biden, while adding that the new data privacy framework “will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States, and help companies, both small and large, compete in the digital economy.”
As further elaborated by the White House, the new data privacy framework will address the concerns raised by the Court of Justice of the European Union when it struck down the Privacy Shield framework and will reestablish an important legal mechanism for transfers of EU personal data to the United States. According to a White House announcement, the new framework is to include additional safeguards to ensure that intelligence activities undertaken in the pursuit of national security objectives are necessary and proportionate. It will also incorporate a new mechanism for European Union individuals who seek to redress unlawful targeting by intelligence activities. Specifically, EU individuals will be able to seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside of the U.S. government who would have full authority to adjudicate claims and direct remedial measures as needed. The U.S. government and the European Commission are now tasked with implementing the arrangement into legal documents.
For the time being, the announcement does not bring any imminent change to the legal landscape. Data transfers involving residents of member countries of the European Union must be made while undertaking appropriate safeguards, such as binding corporate rules or the recently updated Standard Contractual Clauses, and must be further supplemented by data transfer impact assessments. Honigman will continue to track the developments of and announce any updates relating to the new data privacy framework as such developments and updates arise.