The European Commission and the United States have introduced a brand new data switch mechanism, following the invalidation of Privacy Shield in July 2020.
As data privacy consultants might keep in mind, in July 2020 the Privacy Shield data switch mechanism (which utilized to transfers of European data to accredited US corporations) was invalidated following the ECJ resolution in Schrems II.
The newest improvement
On March 25, 2022, the European Commission and the United States introduced that that they had reached an settlement in precept on a model new Trans-Atlantic Data Privacy Framework.
Following a high-profile announcement, the joint assertion stated that the Framework would come with:
- A brand new algorithm and binding safeguards to restrict entry to data by US intelligence authorities to what’s needed and proportionate to guard nationwide safety. Intelligence businesses will undertake procedures to make sure efficient oversight.
- A brand new two-tier redress system to analyze and resolve complaints from Europeans about entry to data by US intelligence authorities. This features a Data Protection Review Court.
- Strong obligations for corporations processing data transferred from the EU. This will embrace the requirement to self-certify their adherence to the US Department of Commerce.
- Specific monitoring and evaluate mechanisms.
The full textual content of the settlement is just not but accessible and there may be some skepticism as to how this may tackle the problems of US intelligence surveillance that had been raised within the Schrems II case.
What does this imply for companies?
Once carried out, this new Framework will present a lawful foundation for the switch of non-public data from the EU to the US.
In order to be efficient, this settlement now must be integrated into legally binding paperwork. An govt order within the US will type the premise of a draft adequacy resolution by the European Commission, which is able to then must be formally adopted below GDPR. In follow, it could be a while earlier than corporations can depend upon this mechanism and it will likely be topic to problem by Max Schrems (the privacy campaigner who was chargeable for the case in keeping with which Privacy Shield was invalidated).
This Framework would not apply to switch of data from the UK to the US as it’s not a member of the European Union.