Early facts on the new data protection agreement between the EU and the USA
The European Commission and the United States today announced in a joint statement that they have agreed in principle on a new “Trans-Atlantic Data Privacy Framework”. The new agreement aims to promote data sharing between the EU and the US and overcome the concerns raised by the European Court of Justice (ECJ) in a “Schrems II” ruling in July 2020.
The key aspects of the “Trans-Atlantic Data Privacy Framework”
- The new agreement is to form the basis for free and secure exchange of personal data between the EU and participating US companies.
- The agreement is to stipulate new rules and binding safeguards limiting US intelligence agencies’ access to personal data to what is necessary and proportionate to protect national security. At the same time, US intelligence agencies are to introduce procedures to ensure effective monitoring of the new standards for data protection and civil rights.
- A new two-tier redress system to investigate and resolve EU citizens’ complaints about access to data by US intelligence agencies is to be established. Judicial review is to be ensured through a new “Data Protection Review Court”.
- Strict obligations are to be imposed on US companies processing data transferred from the EU. These companies are to be further obliged to confirm compliance with the “Trans-Atlantic Data Privacy Framework” to the US Department of Commerce through self-certification.
What comes next?
The general agreement reached is now to be transformed into a binding legal agreement. On the US side, an Executive Order is to be issued, which will serve as the basis for a new adequacy decision by the EU Commission.
What are the consequences of the new agreement for businesses in Europe?
A new adequacy decision by the EU Commission will significantly simplify the exchange of personal data between Europe and the USA. From an economic perspective, the “Trans-Atlantic Data Privacy Framework” is therefore to be welcomed, even if the details of the agreement are still unclear. We should hope that at the end of the process, the protection of European data in the USA will actually be substantially improved. In the event of a failure to sufficiently take into account the requirements of the “Schrems II” decision, the new agreement will not stand up to a foreseeable review by the ECJ. The hoped-for legal certainty would not be achieved. With all the enthusiasm about the new agreement on data exchange with the USA, companies must not forget that the transfer of personal data to other third countries, such as China, Russia or countries in the Arab world, still continues to be problematic.
Practical advice
As it is still unclear what legal certainty the “Trans-Atlantic Data Privacy Framework” can provide and when the EU Commission will adopt the announced adequacy decision, European companies should stick to their processes for critical review of third-country transfers to the US for the time being. However, in order to save costs and efforts in conducting transfer impact assessments, it may be advisable to await the outcome of the current developments.
More sources
- Joint press release of the EU Commission and the United States of 25.03.2022.
- Fact sheet of the EU Commission of 25.03.2022.
- White House fact sheet dated 25.03.2022.