In a joint press release issued on 25 March 2022, it was announced that the European Commission and the U.S. Government have agreed on a Trans-Atlantic Data Privacy Framework (the 'Framework') which would succeed the EU-US Privacy Shield (which had, in turn, succeeded the previous 'Safe Harbour' mechanism).

This Framework is already being referred to by some as the 'EU-US Privacy Shield 2.0' but it is actually the third attempt at regulating Trans-Atlantic transfers of personal data. The Framework would comply with and relieve uncertainty which has been caused by the decision taken by the CJEU in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case 3-11/18 (Schrems II). For some background, please read our previous article ('The EU-US Privacy Shield is No More').

The U.S. Government and the European Commission will have to continue cooperating in order to translate the high-level agreement into an effective legal framework. The Framework ensures that:

  • Personal Data would flow freely and safely between the EU and the U.S.;
  • Personal Data accessibility to the U.S. Intelligence Authorities would be limited to what is necessary and proportionate to ensure that national security is protected. This limitation would be imposed on the U.S. authorities by a new set of rules and binding safeguards;
  • A new two-tier redress system would be introduced to investigate complaints put forward by Europeans concerning data access by U.S. Intelligence authorities. This redress system also includes a Data Protection Review Court;
  • Obligations are set out binding companies processing data transferred from the EU.

The scope of protection of the Framework covers only the recipients who comply with the European data protection principles by 'self-certifying' their compliance.

The Framework is not expected to come into force anytime soon and it is presumed that an adequacy decision will not become available before the end of the year 2022. Until its entry into force, data transfers from Malta (or anywhere within the EU) to the United States will only be allowed on the basis of appropriate safeguards as we previously discussed here, including the Standard Contractual Clauses which were recently updated.

Whether the new Framework will finally bring about a lawful and practical mechanism which facilitates cross-border data transfers of personal data between the EU and the U.S. and whether this will be more robust than the previous 'Safe Harbour' and/or 'Privacy Shield' mechanisms can only be determined once it comes into force.