Iubenda logo
Start generating

Documentation

Table of Contents

Will the Trans-Atlantic Data Privacy Framework replace the US-EU Privacy shield?

Confused about the new Trans-Atlantic Data Privacy Framework? Here’s everything you need to know and what to do…

After almost two years of thorough negotiations, the European Commission and the United States have agreed on a new Trans-Atlantic Data Privacy Framework. The deal ensures that data transferred to the US is adequately protected, addressing the EU Court of Justice’s (Schrems II) ruling on safe and secure data flows and a competitive digital economy and economic cooperation which invalidated the privacy shield.

Based on the new framework, data will be able to flow freely and safely between the EU and participating US companies. The new framework ensures that:

  • access to data by US intelligence authorities is limited to what is necessary and proportionate, thus legitimate, to protect national security; 
  • US intelligence agencies will adopt procedures to guarantee that national security objectives do not disproportionately impact individual privacy and civil rights protection;
  • EU nationals’ complaints regarding US intelligence agencies accessing their data will be investigated and resolved through a new two-tier redress system; a Data Protection Review Court, comprised of individuals from outside the US government, will adjudicate the accusations under the new framework;
  • Companies processing data transferred from the EU must still comply with the requirement to self-certify their adherence to the Principles through the US Department of Commerce;
  • Specific monitoring and review mechanisms will be implemented.

This new framework will offer a stable foundation for trans-Atlantic data transfers, which are essential for preserving individuals’ rights and allowing trans-Atlantic commerce in all sectors of the economy, including small and medium-sized businesses. 

The European Data Protection Board (EDPB) welcomed the announcement of the political agreement, in principle, between the European Commission and the United States on 25 March. In an official statement from the EDPB, several things have been noted:

  1. The EDPB emphasizes that this announcement does not establish a legal framework for EEA data exporters to send data to the United States. Therefore, data exporters must continue to take the appropriate steps to comply with the Court of Justice of the European Union’s (CJEU) case law, particularly the Schrems II decision of July 16, 2020.
  2. The EDPB will carefully analyze the improvements that the new framework may bring in the light of EU lawCJEU case law, and past Board recommendations
  3. The EDPB will examine whether personal data collected for national security purposes is limited to what is strictly necessary and appropriate. 
  4. The EDPB will also investigate how the newly announced independent redress mechanism respects EEA citizens’ right to an effective remedy and a fair trial.
  5. The EDPB will evaluate whether any new organization created as part of this mechanism has access to relevant information, including personal data, and whether it can make binding decisions on intelligence services.
  6. The EDPB will also review whether this authority’s decisions or inaction can be challenged in court.

Will the Trans-Atlantic Data Privacy Framework replace the US-EU Privacy Shield? 

In an official release from the White House, President Biden stated that:

This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy.

We can assume that the New Trans-Atlantic Data Privacy Framework has been made to ‘enhance’ the Privacy Shield framework as negotiations have been taking place since the Court of Justice of the European Union (CJEU) annulled the US Privacy Shield in the Schrems II ruling on June 16, 2020. 

Is the Trans-Atlantic Data Privacy Framework currently in force?

Von der Leyen stated in the joint statement that the Trans-Atlantic Data Privacy Framework is an, in principle, agreement between the EU and the US.  Both sides have a little more work to do before the text is complete however, both have provided high-level overviews of what the new Framework will feature and the next steps needed.

The US needs to issue an Executive Order which includes the commitments undertaken in the agreement. Based on this Order, the Commission needs to issue a draft adequacy decision which shall then follow a procedure to be adopted that involves also the EDPB. 

🇺🇸 The United States has issued a press release and a fact sheet.
🇪🇺 European Commission has also issued a press release and fact sheet.

Do I need to do anything?

If you are aligned with our previous guide (i.e., CJEU case law/ Schrems II decision), you don’t need to do anything yet, as the framework hasn’t been established. 

It would be best to keep an eye on the advancements made, and you can trust that iubenda has you covered when it comes to understanding these complex matters; we’ll keep you informed and up-to-date.