The European Data Protection Board has welcomed the announcement of a political agreement in principle between the European Commission and the United States of a new Trans-Atlantic Data Privacy Framework.
The proposed Trans-Atlantic Data Privacy Framework seeks to address the concerns which led to the Privacy Shield framework being found by the European Court to be invalid. The proposed new Framework will include:
- Safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.
- A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
- Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
- Specific monitoring and review mechanisms.
When implemented, the Framework will provide a legal basis for personal data flows from the EU to the US.
However, it may be some time before organisations can rely on the new Framework as it has to be approved by the European Commission. At this stage, therefore, the Framework cannot be used for data transfers from the EU to the US and data exporters must continue to use Standard Contractual Clauses and to take the steps required to comply with the Schrems II decision of 16 July 2020.
And even when it is adopted, it will, like its predecessors (Safe Harbor and Privacy Shield) be open to legal challenge by privacy groups.
In any event, the Framework will not apply to transfers from the UK to the US, and the UK has previously indicated that the US is a priority for an “adequacy” partnership.