Will the Trans-Atlantic Data Privacy Framework replace the US-EU Privacy shield?

After almost two years of thorough negotiations, the European Commission and the United States have agreed on a new Trans-Atlantic Data Privacy Framework. The deal ensures that data transferred to the US is adequately protected, addressing the EU Court of Justice’s (Schrems II) ruling on safe and secure data flows and a competitive digital economy and economic cooperation which invalidated the privacy shield.

Based on the new framework, data will be able to flow freely and safely between the EU and participating US companies. The new framework ensures that:

• access to data by US intelligence authorities is limited to what is necessary and proportionate, thus legitimate, to protect national security; 
• US intelligence agencies will adopt procedures to guarantee that national security objectives do not disproportionately impact individual privacy and civil rights protection;
• EU nationals’ complaints regarding US intelligence agencies accessing their data will be investigated and resolved through a new two-tier redress system; a Data Protection Review Court, comprised of individuals from outside the US government, will adjudicate the accusations under the new framework;
• Companies processing data transferred from the EU must still comply with the requirement to self-certify their adherence to the Principles through the US Department of Commerce;
• Specific monitoring and review mechanisms will be implemented.

This new framework will offer a stable foundation for trans-Atlantic data transfers, which are essential for preserving individuals’ rights and allowing trans-Atlantic commerce in all sectors of the economy, including small and medium-sized businesses. 

The European Data Protection Board (EDPB) welcomed the announcement of the political agreement, in principle, between the European Commission and the United States on 25 March. In an official statement from the EDPB, several things have been noted:

1. The EDPB emphasizes that this announcement does not establish a legal framework for EEA data exporters to send data to the United States. Therefore, data exporters must continue to take the appropriate steps to comply with the Court of Justice of the European Union’s (CJEU) case law, particularly the Schrems II decision of July 16, 2020.
2. The EDPB will carefully analyze the improvements that the new framework may bring in the light of EU law, CJEU case law, and past Board recommendations. 
3. The EDPB will examine whether personal data collected for national security purposes is limited to what is strictly necessary and appropriate. 
4. The EDPB will also investigate how the newly announced independent redress mechanism respects EEA citizens’ right to an effective remedy and a fair trial.
5. The EDPB will evaluate whether any new organization created as part of this mechanism has access to relevant information, including personal data, and whether it can make binding decisions on intelligence services.
6. The EDPB will also review whether this authority’s decisions or inaction can be challenged in court.