Source: GDPR Legal Alert, 30 March 2022, Weinhold Legal
On 25th March 2022 the European Commission and the United States in a joint statement at the highest political level announced an agreement on the principles of a new Trans-Atlantic Data Privacy Framework with regard to their transfer from the European Union to the United States. This new framework could put an end to the nearly two-year period of legal uncertainty in which thousands of companies have found themselves after the Court of Justice of the European Union in the Schrems II decision of July 2020 annulled the so-called Privacy Shield – agreement between the EU and the US, on the basis of which personal data was transferred from the EU to the US for commercial purposes.
Trans-Atlantic Data Privacy Framework and its announced basic principles reflect more than a year of ongoing negotiations between the EU and the US. It should provide a lasting basis for the flow of data between the EU and the US, so as to provide adequate protection for the rights of data subjects, for which the Privacy Shield has just been abolished.
The details of the framework itself are now unknown. The basic principles summarized in the information document of the European Commission and the White House are:
The trans-atlantic legal framework is certainly a desirable step, as the transfer of personal data from the EU to the US is now very difficult as a result of Schrems II. It requires companies to carry out detailed Data Transfer Impact Assessments in addition to the standard contractual clauses in order to determine whether transferred personal data will be provided with an adequate level of protection and security and to take additional measures to mitigate the identified risks. However, these risks, especially given the competencies of US intelligence agencies with regard to access to EU / EEA citizens' personal data, cannot be reliably ruled out.
Past experience with the predecessors of the transatlantic framework, which, in addition to Privacy Shield was also Safe Harbor, shows that it is likely to take months for these proclaimed principles to take the form of binding legal instruments to be adopted on both sides of the Atlantic to put the principles into practice. The European Commission will need detailed documentation from the US setting out the measures taken to address the issues raised in the Schrems II decision. The European Commission will then prepare and publish a proposal for a decision on the adequacy of personal data protection (so-called adequacy decision) pursuant to Article 45 of Regulation 2016/679 of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR").
Once the draft adequacy decision is published, the next step will be taken by the European Data Protection Board ("EDPB"). According to Article 70 of the GDPR, the EDPB will "provide the Commission with an opinion to assess the adequacy of the level of protection".
Although such opinion is not binding, it plays an important role. In its opinion, the EDPB may ask the Commission to clarify certain points or may indicate areas that it considers do not comply with the rights guaranteed by EU law. It is not possible to know in advance how the EDPB will react to the draft adequacy decision, but it is possible to rely on the documentation of its predecessor – the WP 29 working group, which published the Reference Framework for Adequate Protection in 2017. The aim of this document was to set out the basic data protection principles that a third country's legal frame-work must contain in order to be substantially equivalent to the EU framework, thus providing guidance to the European Commission and the WP29 on the assessment of data protection levels in third countries. The EDPB has recently updated this reference framework by issuing Guideline 2/2020 on the transfer of personal data between public authorities and public bodies inside and outside the EEA. It is therefore likely that the EDPB's opinion will be based on these guidelines previously issued by it. The Commission then has to deal with the EDPB's opinion and further subject the draft adequacy decision to the scrutiny procedure of the EU Member States' Committee.
It is therefore clear that some time will pass before we have a new tool for transferring personal data from the EU to the US. And given the statements of some data protection activists, it can also be expected that even after the European Commission's final decision on adequacy, this decision is likely to be re-submitted to the Court of Justice of the European Union for review. Therefore, it is appropriate to continue to use standard contractual clauses as a tool for the transfer of personal data to the US and to carry out a detailed assessment of the impact of the transfer of personal data.
For further information, please contact the following Weinhold Legal lawyers:
Martin Lukáš, Partner, Martin.Lukáš@weinholdlegal.com
Tereza Hošková, Managing Associate, Tereza.Hoskova@weinholdlegal.com
Daša Aradská, Attorney at Law, Dasa.Aradska@weinholdlegal.com