The EU and the US have taken further steps to launch the successor to the Privacy Shield, which was declared invalid in 2020. An agreement in principle has been reached, EU Commission President Ursula von der Leyen and U.S. President Joe Biden announced on March 25.
The new “Trans-Atlantic Data Privacy Framework” is intended to promote transatlantic data exchange and address the issues criticized by the ECJ in Schrems II. However, no details of the agreement have been provided and no concrete legislative texts are yet available.
Companies welcome a quick regulation, as there has been no valid agreement for the transfer of personal data to third countries since Schrems II in June 2020 – almost two years now.
Legal certainty for third-country transfers
Agreements have already been reached twice between the EU and the U.S. that were supposed to guarantee companies legal certainty in third-country transfers. Both are now history. The “Safe Harbour” agreement was declared invalid by the ECJ in 2015, the “Privacy Shield” agreement in 2020. The lawsuit was filed in each case by Austrian lawyer and data protection activist Max Schrems, and the “Schrems I” and “Schrems II” rulings are considered groundbreaking in data protection.
Privacy Shield 2.0: What’s new?
Or better: is anything new at all? According to the joint announcement by the EU and the U.S., the framework is intended to be an “unprecedented commitment” on the U.S. side to introduce reforms to protect privacy and fundamental rights from American surveillance.
In the future, surveillance by U.S. intelligence agencies is to occur only when necessary and proportionate based on national security interests. However, as there are no corresponding legal texts yet, it is not possible to check whether the planned regulations will also be compliant with the GDPR.
New edition of “Schrems II”?
Max Schrems is also correspondingly dissatisfied: “We already had a purely political agreement in 2015 that had no legal basis whatsoever. As it currently looks, we could now play the same game a third time.” He further explains, “As soon as the final text is available, we will analyze it in detail together with our U.S. legal experts. If it is not in line with EU law, we or others will likely challenge it. In the end, the European Court of Justice will have to decide a third time. We expect the matter to end up before the Court again within a few months of a final decision.”
What does this mean for companies?
Initially, it will probably take until the end of the year for the new regulation to come into force. So companies will have to be patient until they can transfer data to third countries with this new legal basis. However, it remains to be seen whether and for how long the new agreement will be in place.