After the European Court of Justice declared in July 2020 that the basis of transfer of the Privacy Shield agreement in the Schrems II judgment was invalid, there has been uncertainty as to how you can legally and securely transfer personal data from the EU to the USA. Since July 2020, the European Commission and the USA have negotiated a replacement of the Privacy Shield agreement, and there is now light at the end of the tunnel. The name of the new basis of transfer will be the Trans-Atlantic Data Privacy Framework.

The USA and the EU have agreed on the principles of a new agreement even though the text is not yet ready. But the ambition is that there is once again to be free trade between the EU and the companies in the USA that have certified that they will comply with the principles of the agreement.

Basic elements of the agreement

The most important general elements which the EU and the USA have agreed on are:

  • To ensure a free and secure data flow between the EU and the participating companies in the USA.
  • To lay down new rules and binding security mechanisms which will limit the US enforcing authorities’ access to personal data to what is necessary and proportional to protect national security.
  • That the US enforcing authorities arrange new procedures to ensure transparency and accordance with a new standard concerning privacy rights and civil rights.
  • To establish a new two-step system to ensure that EU data subjects obtain an effective judicial review if personal data are transferred and accessed by the US enforcing authorities.
  • That companies transferring personal data from the EU to the USA certify with the US Department of Commerce.

The agreement between the European Commission and the USA will form the basis of the preparation of an executive order in the USA. The executive order will then form the basis of the European Commission’s adequacy assessment

The European Commission's approval procedure

As soon as the European Commission and the EU have agreed on the details, and the executive order has been prepared in the USA, the European Data Protection Board is also to comment on the draft adequacy assessment before the European Commission can finally adopt it. The European Data Protection Board is expected to make a thorough review. If the European Data Protection Board has any objections against the draft, the final approval procedure may drag on.

We expect that it will take several months to get a new basis of transfer in place but it will hopefully be in place during 2022. But the status today and tomorrow is still that no new basis of transfer is yet in place and, for the time being, controllers and processors are to continue as usual when transferring data to the USA which involves risk assessments, TIAs and supplementary measures, if necessary.