Confused about the new Trans-Atlantic Data Privacy Framework? Here’s everything you need to know and what to do…
What is the New Trans-Atlantic Data Privacy Framework
What does the European Data Protection Board say?
Will the Trans-Atlantic Data Privacy Framework replace the US-EU Privacy Shield?
Is the Trans-Atlantic Data Privacy Framework currently in force?
Do I currently need to do anything?
After almost two years of thorough negotiations, the European Commission and the United States have agreed on a new Trans-Atlantic Data Privacy Framework. The deal ensures that data transferred to the US is adequately protected, addressing the EU Court of Justice’s (Schrems II) ruling on safe and secure data flows and a competitive digital economy and economic cooperation which invalidated the privacy shield.
Based on the new framework, data will be able to flow freely and safely between the EU and participating US companies. The new framework ensures that:
This new framework will offer a stable foundation for trans-Atlantic data transfers, which are essential for preserving individuals’ rights and allowing trans-Atlantic commerce in all sectors of the economy, including small and medium-sized businesses.
The European Data Protection Board (EDPB) welcomed the announcement of the political agreement, in principle, between the European Commission and the United States on 25 March. In an official statement from the EDPB, several things have been noted:
In an official release from the White House, President Biden stated that:
This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy.
We can assume that the New Trans-Atlantic Data Privacy Framework has been made to ‘enhance’ the Privacy Shield framework as negotiations have been taking place since the Court of Justice of the European Union (CJEU) annulled the US Privacy Shield in the Schrems II ruling on June 16, 2020.
Von der Leyen stated in the joint statement that the Trans-Atlantic Data Privacy Framework is an, in principle, agreement between the EU and the US. Both sides have a little more work to do before the text is complete however, both have provided high-level overviews of what the new Framework will feature and the next steps needed.
The US needs to issue an Executive Order which includes the commitments undertaken in the agreement. Based on this Order, the Commission needs to issue a draft adequacy decision which shall then follow a procedure to be adopted that involves also the EDPB.
🇺🇸 The United States has issued a press release and a fact sheet.
🇪🇺 European Commission has also issued a press release and fact sheet.
If you are aligned with our previous guide (i.e., CJEU case law/ Schrems II decision), you don’t need to do anything yet, as the framework hasn’t been established.
It would be best to keep an eye on the advancements made, and you can trust that iubenda has you covered when it comes to understanding these complex matters; we’ll keep you informed and up-to-date.