Monday, 23 December 2024

The United States and European Commission Announce Trans-Atlantic Data Privacy Framework

On 25 March the US and EU announced an “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects the US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice (ECJ), striking down the EU adequacy decision underpinning Privacy Shield. While the announcement has been widely welcomed, it remains an “agreement in principle”, with details and timing yet to be confirmed. Along with expressions of welcome and relief, initial reactions also included a strong indication that the new arrangements are likely to be challenged by privacy campaigners including Max Schrems and NOYB, describing “Privacy Shield 2.0” as “lipstick on a pig”.

What is likely to change in the new agreement?

The success or failure of the new agreement will depend on the extent to which it overcomes the flaws identified by the ECJ in Schrems II. The ECJ ruled against the EU Commission’s adequacy decision in favor of Privacy Shield, finding that data subjects were inadequately protected against electronic surveillance or “signals intelligence” activities carried out under US Federal authority, and that data subjects impacted by such activities had no viable route to redress.

Privacy Shield 2.0?

It is important to remember that Schrems II did not strike down Privacy Shield, which has continued to operate since July 2020. Rather, the European Court of Justice ruling struck down the EU Commission’s adequacy decision in favor of Privacy Shield. Consequently, a key objective of the new Trans-Atlantic Data Privacy Framework is not to replace Privacy Shield but to revive and enhance it with new mechanisms to address the flaws identified in Schrems II. Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.

What is next?

From the EU side, the Commission must follow the procedures and consultation requirements under GDPR Article 45. That process requires:

  • A proposal from the European Commission
  • An opinion of the European Data Protection Board
  • An approval from representatives of EU member states
  • Adoption of the decision by the European Commission.

Direct Publication Source: https://www.natlawreview.com/article/united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework

Comments


You May Like These Too


Get Latest Updates