Trans-Atlantic Data Privacy Framework welcomed, but plain sailing not expected

12th April 2022EU and US flags merged

According to The White House, more data flows between the United States and Europe than anywhere else in the world.  They tell us that this enables the $7.1 trillion EU-US economic relationship.  However, the transferring of this personal data has a rather complex backstory – and more confusion could be on the horizon with the announcement that a new trans-Atlantic data privacy framework is being worked on.

Initially, there was an agreement between the EU and the US called Safe Harbor which allowed for the free flow of data from the EU to companies in the US registered with the Safe Harbor scheme, this was invalidated and replaced with a new improved Safe Harbor certification scheme called Privacy Shield. This meant that so long as organisations in the US joined and agreed to the terms of the Privacy Shield scheme, personal data could legally and compliantly flow across the Atlantic from the EU.

However, in 2020 Privacy Shield was declared invalid after a court battle with Max Schrems – with the European Court of Justice concluding that Privacy Shield gave ‘undue priority to the requirements of national security, public interest and compliance with US law’ to an extent that they felt was disproportionate.  The other big problem with Privacy Shield was that there was no obvious way that data subjects could seek redress if they felt they had been treated unfairly.

As a result of the Privacy Shield transfer mechanism being invalidated, organisations wishing to transfer personal data from the EU to the US, or any other country not in the EEA or where an adequacy decision has been granted, must now carry out a rather complex and time-consuming Transfer Impact Assessment (TIA) which mandates that they must consider the data protection level of the recipient in the so-called ‘third country’ (that is countries outside of the EU) and the legal framework of the country as well, referred to as double due-diligence. Due to the lack of practicality of completing this assessment, and the economic scale and importance of the relationship between the EU and the US, data protection specialists have long hoped that a replacement to Privacy Shield would happen.

What happens next?

On March 25th 2022 an announcement was made by the White House and the European Commission stating that the United States has “committed to a new Trans-Atlantic Data Privacy Framework which will foster trans-Atlantic data flows and address the concerns raised by the court of Justice of the European Union . . in 2020”. Source: White House

However, it is important to note that both the White House and the European Commission are very clear that at this stage, it is simply an announcement of ‘an agreement in principle’.

The biggest indication that we still have a very long way to go, comes from the European Data Protection Board (EDPB), who in their statement welcome it as a ‘positive first step in the right direction’. . . They continue: ‘At this stage, this announcement does not constitute a legal framework on which data exporters can base their data transfers to the United States.’

No supporting documents are available yet.  All we have at this stage is the announcement.

In addition, data protection activist Max Schrems is still on the case.  His response to this latest development is not a warm one.  He points out that it will still be a few months before there is even a text to be analysed and then he is not confident that it will pass his scrutiny or that of his peers:

We expect this to be back at the Court within months from a final decision. . . . .  .It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.” Max Schrems

So, we are still a long way from any clarity in terms of what is going to happen next.  It is a case of watch this space.  Stay tuned to our blog – we will keep you posted on developments.

In the meantime, if you need any help or advice with exporting data to the United States or any other third country, please do not hesitate to contact us.  The best place for you to start is to book your complimentary half hour consultation which you can do here.

Book your complimentary half hour consultation with one of our data protection specialists

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.