Commission and US Government Reach Agreement on Principles of Future Trans-Atlantic Data Privacy Framework
On 25 March 2022, the European Commission announced that a preliminary political agreement had been reached on the principles of the future framework for transatlantic data flows. New negotiations with the U.S. government had become necessary after the CJEU toppled the predecessor agreement, the EU-US Privacy Shield, in the 2020 Schrems II decision (→ eucrim 2/2020, 98-99). The ruling led to great uncertainty in the economic sector, for which the Privacy Shield applied.
The EU and U.S. side could agree on the following key principles:
- A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security;
- U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
- A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. intelligence authorities; this will include a Data Protection Review Court;
- Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the new transatlantic data privacy framework through the U.S. Department of Commerce;
- Specific monitoring and review mechanisms.
Next steps: Agreement was only reached in principle. It must now be translated into a concrete legislative document that has to be adopted by both sides. U.S. commitments will be included in an “Executive Order”. This will form the basis for the European Commission to draft an adequacy decision pursuant to Art. 45 GDPR. Such adequacy decision would facilitate data transfers between EU and U.S. companies. Currently, data transfers can be based on standards contractual clauses which necessitate, however, a complex “transfer impact assessment”.