Since the CJEU declared the Privacy Shield agreement invalid with its Schrems II ruling, the EU and the USA have been working on a replacement agreement. This is intended to enable companies to transfer data between EU countries and the USA., thereby creating a legal mechanism for data transfers.
This would then be the third attempt to replace Safe Harbor and the Privacy Shield 1.0.
There have been recent announcements in the press that a new treaty regulating transatlantic data flows is to be expected. For example, the online magazine politico states, that
opinions seem to diverge strongly, depending on who you ask.
As far as Washington is concerned, the answer is: A contract conclusion is imminent.
As far as Brussels is asked: We are far from that.
According to politico, Washington has informed industry groups and data privacy advocates that they have proposed “improved” solutions. According to US officials, a political agreement could only be some weeks away, coinciding with the first meeting of the EU-US Trade and Technology Council – a joint initiative – on September 29th.
Opinions on whether and when a deal could be reached seem to diverge widely.
From the European Commission’s point of view, there is obviously an interest in not concluding another agreement that is then subsequently overturned by the CJEU. However, this does not seem possible without legal adjustments on the part of the USA. Access by American security authorities to European data must be restricted and there must be effective legal remedies for EU citizens.
According to politico, US stakeholders are pushing to include talks on data flows between the two countries in the above-mentioned trade talks. From the EU’s point of view, however, the issues of trade and data protection should be discussed independently and therefore negotiated separately.
Business interest groups on both sides of the Atlantic have a strong interest in reaching a quick agreement. Due to the uncertainty over a new Privacy Shield agreement, other safeguards such as the EU standard contractual clauses are currently used to secure data flows to the US. However, it is unclear whether this safeguard will last in the long run.
Currently, it is necessary for data exporters to carry out elaborate assessments of the legal framework in non-EU countries (so-called TIA – Transfer Impact Assessments) and implement additional safeguards if EU data protection standards are not reached.
Politico accurately summarises, that regulators are already stepping in: Hamburg’s data protection commissioner, for example, urged local authorities to stop using Zoom, a video conferencing service, because of legal uncertainty about how German data is treated when sent across the Atlantic. The CNIL in France raised similar concerns about Microsoft, as did the Portuguese data protection authority about Cloudflare (an American technology company). Meanwhile, the EU is investigating similar issues in relation to Microsoft and Amazon.
Further developments remain to be awaited and it is to be hoped that agreements will soon be reached that guarantee sufficient data protection also overseas.
The full politico article of September 17th, 2021 can be found here.