EU and US: a new Trans-Atlantic Data Agreement?
EU and US agree ‘in principle’ on a new Trans-Atlantic Data Agreement
March 29, 2022
Last Friday, after many months of increasing legal uncertainty with regard to the legality of international transfers of personal data from the European Union to the US, the President of the European Commission, Ursula von der Leyen announced an ‘agreement in principle’ with the U.S on revived transatlantic data flows deal. This announcement will therefore have been welcomed as a beacon of hope for companies struggling with privacy compliance in a connected world, it may be that we are not out of the woods just yet.
”“This will enable predictable, trustworthy data flows between the EU and the US, safeguarding privacy and civil liberties”Ursula von der Leyen, European Commission president.
We have a new terminology to remember: the Transatlantic Data Protection Framework. The trade principles of the Privacy Shield, with which U.S. companies commit to comply through certification to the Department of Commerce, are maintained. The new framework focuses squarely on surveillance-related protections.
However, the U.S. government is committed “to ensure that signals surveillance activities are necessary and proportionate”. Indeed, necessity and proportionality are at the heart of the discussions, this is a topic much criticised by the CJEU, it is a non-negligible obstacle. A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security, U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
Important points for the future
• The new redress mechanism will include a “new-multi layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed”.
• This announcement could if concluded resolve one of the thorniest outstanding issues between EU and U.S. companies. In the coming months, we will have to keep an eye on the American legislation. Indeed, the next step is the translation into legal documents. The U.S. will issue an Executive order to give the legal effect to the U.S. commitments, which will then form the basis for the Commission’s adequacy decision. Based on the new framework, data will be able to flow freely and safely between the EU and participating Under the GDPR, international transfers can take place as long as an adequate level of protection of individuals’ fundamental right to data protection is ensured. The Commission has determined that several countries ensure an adequate level of protection through their national law or international commitments they have entered into.
The potential deal of a new EU-US Privacy Framework is welcomed as a light at the end of the Schrems 2 tunnel indeed. Let’s just hope it is not the headlight of the approaching train of Schrems 3. Once again, this announcement reminds us that this is a global issue, not a transatlantic one.