The “Trans-Atlantic Data Pri­va­cy Framework”

Ear­ly facts on the new data pro­tec­tion agree­ment bet­ween the EU and the USA

The Euro­pean Com­mis­si­on and the United Sta­tes today announ­ced in a joint state­ment that they have agreed in prin­ci­ple on a new “Trans-Atlantic Data Pri­va­cy Frame­work”. The new agree­ment aims to pro­mo­te data sha­ring bet­ween the EU and the US and over­co­me the con­cerns rai­sed by the Euro­pean Court of Jus­ti­ce (ECJ) in a “Schrems II” ruling in July 2020.

The key aspects of the “Trans-Atlantic Data Pri­va­cy Framework”

  • The new agree­ment is to form the basis for free and secu­re exch­an­ge of per­so­nal data bet­ween the EU and par­ti­ci­pa­ting US companies.
  • The agree­ment is to sti­pu­la­te new rules and bin­ding safe­guards limi­ting US intel­li­gence agen­ci­es’ access to per­so­nal data to what is neces­sa­ry and pro­por­tio­na­te to pro­tect natio­nal secu­ri­ty. At the same time, US intel­li­gence agen­ci­es are to intro­du­ce pro­ce­du­res to ensu­re effec­ti­ve moni­to­ring of the new stan­dards for data pro­tec­tion and civil rights.
  • A new two-tier redress sys­tem to inves­ti­ga­te and resol­ve EU citi­zens’ com­plaints about access to data by US intel­li­gence agen­ci­es is to be estab­lished. Judi­cial review is to be ensu­red through a new “Data Pro­tec­tion Review Court”.
  • Strict obli­ga­ti­ons are to be impo­sed on US com­pa­nies pro­ces­sing data trans­fer­red from the EU. The­se com­pa­nies are to be fur­ther obli­ged to con­firm com­pli­ance with the “Trans-Atlantic Data Pri­va­cy Frame­work” to the US Depart­ment of Com­mer­ce through self-certification.

What comes next?

The gene­ral agree­ment rea­ched is now to be trans­for­med into a bin­ding legal agree­ment. On the US side, an Exe­cu­ti­ve Order is to be issued, which will ser­ve as the basis for a new ade­quacy decis­i­on by the EU Commission.

What are the con­se­quen­ces of the new agree­ment for busi­nesses in Europe?

A new ade­quacy decis­i­on by the EU Com­mis­si­on will signi­fi­cant­ly sim­pli­fy the exch­an­ge of per­so­nal data bet­ween Euro­pe and the USA. From an eco­no­mic per­spec­ti­ve, the “Trans-Atlantic Data Pri­va­cy Frame­work” is the­r­e­fo­re to be wel­co­med, even if the details of the agree­ment are still unclear. We should hope that at the end of the pro­cess, the pro­tec­tion of Euro­pean data in the USA will actual­ly be sub­stan­ti­al­ly impro­ved. In the event of a fail­ure to suf­fi­ci­ent­ly take into account the requi­re­ments of the “Schrems II” decis­i­on, the new agree­ment will not stand up to a fore­seeable review by the ECJ. The hoped-for legal cer­tain­ty would not be achie­ved. With all the enthu­si­asm about the new agree­ment on data exch­an­ge with the USA, com­pa­nies must not for­get that the trans­fer of per­so­nal data to other third count­ries, such as Chi­naRus­sia or count­ries in the Arab world, still con­ti­nues to be problematic.

Prac­ti­cal advice

As it is still unclear what legal cer­tain­ty the “Trans-Atlantic Data Pri­va­cy Frame­work” can pro­vi­de and when the EU Com­mis­si­on will adopt the announ­ced ade­quacy decis­i­on, Euro­pean com­pa­nies should stick to their pro­ces­ses for cri­ti­cal review of third-country trans­fers to the US for the time being. Howe­ver, in order to save cos­ts and efforts in con­duc­ting trans­fer impact assess­ments, it may be advi­sa­ble to await the out­co­me of the cur­rent developments.

More sources


reuschlaw Onepager Data Privacy Framework

reusch­law One­pager Data Pri­va­cy Framework


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.