EU and USA announce progress in their negotiations. The envisaged framework (alone) does not yet bring legal certainty for transatlantic data transmission.
Bearers of hope TADPF
Great hopes are therefore placed on the emerging TADPF. Little is known about the specific content, but the goal is: finally, harmony between the security interests of the USA and European data protection standards and the rule of law. Key content can be found in the US government press release. The TADPF is to be based on the previous Privacy Shield. What is new is that a quasi-judicial, two-stage body is to be established that will decide on complaints from those affected from the EU. In addition, measures taken by the US secret services are intended to ensure that surveillance, for example, is reduced to a reasonable level. The USA will implement the desired changes via a new administrative regulation (Executive Order) of the President. EU Justice Commissioner Didier Reynders named the end of the year as a possible target date for ratification.
But Max Schrems, whose lawsuits brought down the previous agreements, criticizes the TADPF as a “purely political” agreement “without a legal basis”. He assumes that every agreement that does not correspond to the data protection level of the EU will be challenged before the ECJ in a timely manner. The question is how quickly a “Schrems III” verdict can be expected. Safe Harbor was in place for 15 years, the first lawsuit against the Privacy Shield was filed a month and a half after publication, and was repealed around four years later.
The announcement of the TADPF does not yet ensure legal certainty for companies. It is still necessary to secure transatlantic data transmissions with the existing means (e.g. SDK). The SDK, which was published last year and is now modular, is currently being used by many companies – for contracts with service providers and customers or for intra-group data transfers. Since autumn 2021, only the new SDK may be used for new contracts, for old contracts until December 27, 2022. This deadline should be kept in mind, because regardless of the implementation of the TADPF, it is advisable for EU companies to use SDK with US -Company – because the risk of a “Schrems III” verdict is high and you are better armed with the SDK.