It has been almost two years since the Privacy Shield was struck down as a valid data transfer mechanism in Schrems II. Many have been wondering “what’s next”? Will there be a replacement framework? When will that be released? Will the replacement be invalidated? Well, the European Commission and US recently announced an “agreement in principle” to replace the EU-US Shield Privacy Shield. The EDPB also recently released a statement welcoming the announcement, but reminding companies that the announcement is not actually a legal framework. Thus, nothing has changed… yet.

The new framework is intended to address several of the key concerns raised in Schrems II. The US highlighted that the framework will help ensure that:

  • intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court; and
  • U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

Putting it into Practice. For the time being, companies must continue to take necessary measures to comply with data transfer requirements of GDPR in light of Schrems II. This includes putting in place standard contractual clauses (or other appropriate safeguards), conducting transfer impact assessments, and putting in place any supplementary measures that might be needed. While a draft is expected to be released this year, it will then need to go through the adequacy decision process.