Privacy & Cybersecurity Law Blog

On April 7, 2022, the European Data Protection Board (the “EDPB”) released a statement on the announcement of a new Trans-Atlantic Data Privacy Framework (the “Statement”).

A new framework for transfers of personal data between the EU and the U.S. has been needed since the previous EU-U.S. Privacy Shield framework was annulled by the Court of Justice of the European Union (“CJEU”) in the Schrems II judgment in July 2020. Discussions on a potential enhanced EU-U.S. Privacy Shield framework had recently intensified.

In the Statement, the EDPB welcomes the announcement of a political agreement in principle between the European Commission and the U.S. and indicates that it sees U.S. authorities’ commitment to implement measures to protect EU individuals’ privacy and personal data as a positive first step in the right direction. The EDPB reminds, however, that the joint announcement of the European Commission and the U.S. does not yet constitute a legal framework that can be relied on to legitimize transfers between the EU and the U.S. For the time being, companies must continue taking the necessary measures to comply with the transfer requirements of the EU General Data Protection Regulation and the Schrems II judgment.

Once available, the EDPB will examine the European Commission’s draft adequacy decision for the U.S. in light of EU law, CJEU case law and its prior recommendations on this topic. In particular, the EDPB will verify how U.S. authorities’ suggested reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate, and that an independent redress mechanism is made available to provide EU individuals with an effective remedy and fair trial.

Read the EDPB Statement and the Press Release.