Transatlantic data flows took center stage at the International Association of Privacy Professionals (IAPP) Global Privacy Summit, the organization’s annual meeting which convened in Washington from April 11-13.

Achieved Compliance’s Senior Director of Global Privacy Policy and Privacy Fellow with the Innovator’s Network Foundation joined fellow panelists Chris Hoff, Deputy Assistant Secretary for Services at the International Trade Administration, U.S. Department of Commerce; Bruno Gencarelli, Deputy to the Director for Fundamental Rights and Rule of Law & Head of Unit for International Data Flows and Protection - DG Justice and Consumers at European Commission; and moderator Brian Scarpelli, Senior Global Policy Counsel at ACT | The App Association to discuss prospects for the newly agreed-upon Transatlantic Data Protection Framework. They titled the panel EU-U.S. Privacy Shield and the Future of Trans-Atlantic Data Flows.

EU-U.S. Privacy Shield and the Future of Trans-Atlantic Data Flows

Before an audience of over 700 attendees, panelists discussed the nature of the new agreement, prospects for implementation and the importance of the Framework for small and medium-sized businesses.  

The Framework supports the lawful transfer of data from the European Union to the United States and will replace the Privacy Shield. The European Court of Justice invalidated the Privacy Shield agreement after finding that U.S. law did not offer sufficient protections for EU data subjects, despite the agreement having established requirements for transatlantic transfers of personal data. The end of the Privacy Shield arrangement resulted in legal uncertainty and lack of clarity for companies moving data across the Atlantic.

‍According to a fact sheet released by the White House, the new Trans-Atlantic Data Privacy Framework will reflect the U.S. government’s implementation of reforms to provide better protections for EU data subjects.

In particular, Europeans will be able seek redress at a newly-created, independent Data Protection Review Court that will have "full authority" to adjudicate claims and direct remedial measures as needed.  

The US government will also ensure that signals intelligence collection may only be undertaken where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties under the framework.

Significantly, the new Framework and the redress mechanism do not impose any new requirements for companies. However, discussions continue to finalize details of the agreement.