On March 25, 2022, the publication of a new data protection agreement between the EU and the USA took place. This is already the third agreement affecting transatlantic data transfers. What exactly was recorded and how this currently affects practice, you can read here.
Why a new data protection agreement?
The Processing of data in third countries is a well-known problem under data protection law.
In principle, this requires a guarantee in the third country (country outside the EU, i.e. outside the scope of the GDPR) that a level of protection for personal data comparable to the GDPR exists. For this purpose, the EU Commission issues so-called adequacy decisions. Most recently, the "Privacy Shield Agreement" existed as such an adequacy decision until July 2020. After the ECJ determined that this agreement did not provide an equivalent level of protection to EU law (GDPR) (Schrems II ruling), the agreement was overturned. The reasons for this were in particular the far-reaching access possibilities of intelligence services to data in the USA and the lack of enforceability of data subjects' rights against the American authorities. As a result, there was a great deal of uncertainty regarding the transfer of data to the USA.
Content of the new data protection agreement
The new data protection agreement called "Trans-Atlantic Data Privacy Framework" is to be the successor to the "Privacy Shield". It is intended to enable the free and secure exchange of data between the EU and the USA (or participating companies). It is to contain a new set of rules with binding protective measures. This is also intended to restrict access by the American intelligence services. This would then only be possible if it were necessary and proportionate to protect national security.
In addition, a two-tier redress system is to be introduced so that EU citizens can lodge effective complaints.
US companies that want to process data from the EU are also to be subject to stricter obligations. Compliance with these is to be confirmed via self-certification.
The new data protection agreement in practice
The White House speaks of "unprecedented commitments" to protect data, but this does not mean that any data transfer to the U.S. is problem-free from now on. The new data protection agreement "Trans-Atlantic Data Privacy Framework" is currently only an announcement by the US government and the EU Commission. A number of intermediate steps are necessary before it takes full legal effect. Data transfer to the USA must therefore continue to be examined on a case-by-case basis for the time being. It remains to be seen whether and when the new data protection agreement will come into force. However, the development leading up to this announcement can be seen as encouraging. And in keeping with the motto "third time's the charm," this third attempt at a data protection agreement could be an agreement that facilitates practice, despite the existing criticism that it does not take all the points of criticism from Schrems II into account.
Would you like advice and assistance on data protection-compliant processes in your company? Our team of experts will be happy to assist you!