What was initially inferred from various media reports has been confirmed by the USA and the EU. From the White House Factsheet:
The United States and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union when it struck down in 2020 the Commission’s adequacy decision underlying the EU‑U.S. Privacy Shield framework.
A shorter factsheet has also published the EU Commission.
Not much is known about the content, including a draft of the text, which as far as is known is not yet available but is to be worked out by the U.S. government and the EU Commission. The finalization of the text will apparently be done by an Executive Order of the U.S. government and a corresponding adequacy decision of the Commission.
The fact sheets remain vague. That of the USA, however, at least states the following:
Under the Trans-Atlantic Data Privacy Framework, the United States has made unprecedented commitments to:
- strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
For example, the new Framework ensures that:
- Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
- EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
- U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
As far as can be seen, it is not a question of changing the U.S. legal basis or existing executive orders, but of a more data protection-friendly approach.
noyb, the NGO from Schrems, has – unsurprisingly – a critical statement published (“lipstick on a pig”) and held out the prospect of subjecting Privacy Shield 2.0 to judicial review.