A new agreement on the exchange of personal data between the EU and the US is on the way
The European Commission and the US authorities have concluded an agreement in principle on transfers of personal data between the EU and the US. However, this is only an overall statement, which means that there is yet no clarification on the issues that the Schrems II decision has caused.
WHAT WE KNOW
The name of the new transfer basis will be "Trans-Atlantic Data Privacy Framework". The EU and the US have agreed on some overarching elements of the agreement. The agreement entails that:
- A free and secure data flow between the EU and the participating companies in the US must be ensured
- New rules and binding safeguards must be established that restrict access to personal data by US intelligence authorities so that they only have access to what is necessary and proportionate to protect national security
- Procedures must be adopted by US intelligence authorities to ensure effective oversight of the new standards of the peace and civil liberties of piracy
- A two-step system is to be put in place to ensure effective judicial review of EU data subjects if their personal data has been transferred to the US intelligence authorities
- Companies must self-certify with the US Department of Commerce if they transfer personal data from the EU to the United States.
The agreement in principle, which has been concluded between the European Commission and the United States, will now be translated into legal documents. The US authorities will prepare an Executive Order, which will form the basis for a draft adequacy decision to be adopted by the European Commission to introduce the new transfer basic "Trans-Atlantic Data Privacy Framework".
After this draft has been prepared, the European Data Protection Board (EDPB) must comment on the draft before the European Commission can adopt it. If the EDPB objects to the draft, the approval process in the European Commission can drag on.
It is important to stress that this is still only an agreement in principle and that there is not yet a new transfer basis in place and that it will probably take a while to get the new agreement in place. Therefore, if you transfer personal data to the United States, you should still be aware of the current requirements for e.g., Transfer Impact Assessments (TIAs) and supplementary measures.