What is new in the sphere of personal data transfers to the USA and what do we know about the new Trans-Atlantic Data Privacy Framework?

Background:

In 2020, the ECJ rendered a landmark decision in the Schrems II case, annulling the EU Commission’s adequacy decision in favour of the Privacy Shield which allowed for secure personal data transfers between the EU and the USA. Two years later, this continues to cast uncertainty and to prevent businesses from carrying out data transfers tо the USA. Based on official data, the continued flow of data between the EU and the USA underpins roughly $1 trillion in cross-border commerce every year. Therefore, it is crucial for the EU and the USA to ensure the legality of such flows between businesses on both sides.

What is the new Trans-Atlantic Data Privacy Framework?

In the end of March 2022, the EU and the USA reached a political agreement on the so-called Trans-Atlantic Data Privacy Framework (“TADPF”) which will enable free data flows between the EU and the USA.

The benefits of the deal, according to the European Commission include adequate protection of Europeans’ data transferred to the US, safe and secure data flows, durable and reliable legal basis, competitive digital economy and economic cooperation, continued data flows. All these are of huge importance for data subjects in the EU as currently once their data is transferred to the USA, the level of protection the legal framework currently provides does not meet the high standards set by the General Data Protection Regulation (known as the GDPR).

In the light of the above, under the TADPF, the United States has committed to strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities, establish a new redress mechanism with independent and binding authority and enhance its existing rigorous and layered oversight of signals intelligence activities. Those were all important contentious points in the Schrems II decision. The Court of Justice of the EU has elaborated on the deficiencies in all these aspects and the USA has undertaken to address those them in the following months.

What comes next?

The political agreement which is currently in place is not a binding legal act, which means that data exporters cannot use it as basis for the data transfers to the USA. This is also the official position of the European Data Protection Board. The next step is for the USA to adopt an Executive Order. Then, based on it the European Commission will adopt a new adequacy decision to legally put in place the TADPF.

What do we know about the new redress mechanism?        

A new redress mechanism will also be introduced. EU individuals will be able to obtain redress from a Data Protection Review Court if they consider that U.S. intelligence agencies have unlawfully targeted them. Indeed, the Privacy Shield itself contained a redress mechanism – the “ombudsperson”. However, the CJEU has deemed it to be ineffective as it is unable to adopt decisions that are binding on the intelligence services. It remains to be seen how the Data Protection Review Court will be different. The way such a court will function in the judicial system of the U.S. is also unclear.

What impact is this going to have on businesses?

Even before the details of the newly adopted framework became clear, skepticism towards its success has already been expressed as this will be the third attempt for the creation of a reliable mechanism for the secure transfer of personal data from the EU to the USA. Until more information is available, businesses transferring personal data to the USA should rely on other data transfer mechanism allowed under the GDPR such as the so-called “standard contractual clauses” or the “binding corporate rules”.

For further information contact:
Mileslava Bogdanova – Misheva, Senior Associate
mileslava.bogdanova@kdp-law.com
Simona Mokreva, Associate
simona.mokreva@kdp-law.com