This presentation covers the history of the US Safe Harbor, Privacy Shield, and the effects of the Schrems and Schrems II decision on the Safe Harbor and Privacy Shield. Before the GDPR came into full effect, US companies relied on the US-EU safe harbor framework as the legal basis for “adequate” data transfers between the EU and the US. In 2015, the Court of Justice of the European Union (CJEU) in Schrems I ruled that the adequacy decision of the US-EU Safe Harbor framework was invalid. To resolve the fallout from Schrems, the EU-US Privacy Shield was created in 2016. However, the Privacy Shield’s validity was short-lived. The July 2020 ruling of the Court of Justice of the European Union (CJEU) in Schrems II struck down the Privacy Shield adequacy decision, compelling American companies certified under US-EU Privacy Shield to find other means to receive transfers of data from the EU.
Today, many American companies rely on standard contractual clauses (SSC) with their European partners. This requires companies to engage in complex “Data Transfer Impact Assessments” (TIA) for EU-US international data transfers. In this presentation, we will briefly discuss the difficulty in evaluating the legal framework of the TIA. In addition, if the level of protection of personal data under the TIA is not satisfactory, parties must implement “supplementary measures” to ensure essential adequacy equivalence. We will also discuss the complexity of implementing such measures.
On March 25, 2022, President Biden and President von der Leyen’s joint press statement announced the new transatlantic data flow framework. This announcement was welcomed with great relief by both the US and EU industries. This presentation will discuss the known details about the new transatlantic data flow framework and provide insight into what the companies can do in the meantime to best prepare and comply with the current and future requirements.