The EU and the US have taken further steps to launch the successor to the Privacy Shield, which was declared invalid in 2020. EU Commission President Ursula von der Leyen and US President Joe Biden announced that they had reached an agreement in principle on March 25.
The new "Trans-Atlantic Data Privacy Framework" is intended to promote the transatlantic exchange of data and address the issues criticized by the ECJ in Schrems II. However, no details of the agreement have been provided and no specific legal texts are yet available.
Companies welcome a quick regulation, as there has been no valid agreement for the transfer of personal data to third countries since Schrems II in June 2020 - i.e. for almost two years now.
Legal certainty for third country transfers
Two agreements have already been reached between the EU and the USA that were intended to guarantee companies legal certainty when transferring data to third countries. Both are now history. The "Safe Harbour" agreement was declared invalid by the ECJ in 2015, the "Privacy Shield" agreement in 2020. The Austrian lawyer and data protection activist Max Schrems had filed a lawsuit in each case, and the "Schrems I" and "Schrems II" rulings are considered groundbreaking in data protection.
Privacy Shield 2.0: What's new?
Or rather: is anything new at all? According to a joint announcement by the EU and the US, the rules are intended to be an "unprecedented commitment" on the US side to introduce reforms to protect privacy and fundamental rights from American surveillance.
In future, surveillance by US intelligence agencies will only take place if it is necessary and proportionate in the interests of national security. However, as there are no corresponding legal texts yet, it is not possible to check whether the planned regulations will also be compliant with the GDPR.
New edition of "Schrems II"?
Max Schrems is correspondingly dissatisfied: "We already had a purely political agreement in 2015 that had no legal basis whatsoever. As it currently stands, we could now be playing the same game a third time." He continues: "As soon as the final text is available, we will analyze it in detail together with our US legal experts. If it is not in line with EU law, we or others will probably challenge it. In the end, the European Court of Justice will have to decide a third time. We anticipate that the matter will end up back before the Court within a few months of a final decision.
What does this mean for companies?
Initially, it will probably take until the end of the year for the new regulation to come into force. Companies will therefore have to be patient until they can use this new legal basis to transfer data to third countries. However, it remains to be seen whether and for how long the new agreement will remain in place.
