On 6 April 2022, the European Data Protection Board (EDPB) released a statement adopting the announcement dated 25 March 2022 regarding an European Union (E.U.) – United States (U.S.) Transatlantic Agreement for facilitating data transfers. In its statement, the EDPB highlights the “unprecedented” measures that the U.S. intends on implementing to ensure adequate protection of the rights and freedoms of E.U citizens in the transfer of their personal data to the U.S. Nevertheless, the EDPB’s announcement highlights that, although these are positive measures, they should not be understood at once as a valid mechanism to be relied on for data transfers; rather, it is a declaration of intent and common ground.
This article highlights some of the novel changes in the proposed agreement and outlines the steps to acceptance of the proposal by the European Commission.
The contents of the agreed principles have been outlined in the fact sheets published by the EU and US. The fact sheets portrays a unified approach towards adopting a set of changes to the previous Privacy Shield Agreement as follows:
- Its scope is to facilitate free flow of data across the E.U. and U.S.
- Access to personal data by U.S. intelligence authorities will be limited, by adhering to the principles of necessity and proportionality.
- A two-tier redressal system will be established, including a Data Protection Review Court to adjudicate data subject complaints.
- A self-certification mechanism will be implemented through the U.S. Department of Commerce to adherence to the proposed Agreement.
Nevertheless, the proposed measures need to be fully evaluated to assess the extent of their departure from those enshrined in the Privacy Shield Agreement. In particular, the U.S. will need to demonstrate and ensure the implementation of the “effective legal remedies” to be made available to the E.U. citizens whose personal data is transferred to the U.S. As stated by the Court of Justice of the European Union in the Schrems II decision, effective legal remedies must be equated to judicial remedies. Thus, the U.S. must distinguish the proposed two tiered redressal mechanism, including a Data Protection Review Court, from the Ombudsperson approach enshrined in the Privacy Shield Agreement 2016. Additionally, the U.S. will also need to substantially comply and codify the principles of necessity and proportionality while limiting the U.S. intelligence authorities access to personal data.
Next Steps and Challenges
The announcement may have generated much excitement; however, it is yet to take the shape of a binding agreement, and that would require some time to happen. For instance, it took five months for the Privacy Shield Agreement to be a valid mechanism and four months for the United Kingdom to gain adequacy. However, due to the ongoing Russia – Ukraine crises, there is currently not enough clarity to establish how long the process will take to conclude the agreement and for this to take effect. A high-level overview of the process is as follows:
- A draft adequacy decision must be drafted by the European Commission
- The EDPB will then examine the draft adequacy decision and publish a non-binding opinion
- The European Parliament may adopt the non-binding opinion and require the European Commission to consider the draft decision and, if appropriate, to amend it.
- A committee composed of Member State representatives will be responsible for approving the draft decision
- If approved, the European Commission will formally publish the decision in the E.U. Official Journal and will take immediate effect.
It should be clear that the agreement can be used as a legal basis for transferring data only when the decision of the European Commission is formally published.
How to Comply
As mentioned, currently there is no fundamental change to the obligations caste by the Schrems II decision for controllers located within the EU and the EEA. The announcements are yet to be codified and approved by the European Commission and thus cannot be considered a mechanism to be relied on for data transfers to the U.S.
In contrast, it should be noted that the controllers located in the United Kingdom (U.K.) may be subjected to alternative conditions based on their own negotiations with the U.S. However, the U.K. government has included the U.S. to its priority list for future data partnerships so it will be necessary to observe how a U.S. – U.K. agreement may take shape in the next months.
It is clear that organisations in the E.U. and U.S., along with those situated in the U.K., will need to be alert in monitoring new compliance obligations caste by the ever-changing regime of international data transfers.
If you wish to talk more about the issues discussed in this article or any other matter concerning Data Protection, please visit the Trilateral Data Governance page and do not hesitate to contact a member of Trilateral Research’s DPO team who will be happy to assist you in full.