Data transfers to the USA | TechBuzz

On March 25, the EU Commission and the USA published a declaration that was eagerly awaited by many companies: There was agreement on the principles of the Trans-Atlantic Data Privacy Framework (TADPF). Almost two years ago, the “Schrems II” judgment of the ECJ made transatlantic data transfers massively more difficult. The judges overturned the Privacy Shield, an agreement under which data was transferred from the EU to the US. In 2015, the previous Safe Harbor Agreement was declared void by the ECJ. Therefore, companies currently have to resort to other transfer mechanisms, such as the standard data protection clauses (SDK) specified by the EU. However, there is still a great deal of legal uncertainty, as the requirements of the “Schrems II” judgment and the requirements of the supervisory authorities result in some high hurdles.

Bearers of hope TADPF

Great hopes are therefore placed on the emerging TADPF. Little is known about the specific content, but the goal is: finally, harmony between the security interests of the USA and European data protection standards and the rule of law. Key content can be found in the US government press release. The TADPF is to be based on the previous Privacy Shield. What is new is that a quasi-judicial, two-stage body is to be established that will decide on complaints from those affected from the EU. In addition, measures taken by the US secret services are intended to ensure that surveillance, for example, is reduced to a reasonable level. The USA will implement the desired changes via a new administrative regulation (Executive Order) of the President. EU Justice Commissioner Didier Reynders named the end of the year as a possible target date for ratification.

announced resistance

But Max Schrems, whose lawsuits brought down the previous agreements, criticizes the TADPF as a “purely political” agreement “without a legal basis”. He assumes that every agreement that does not correspond to the data protection level of the EU will be challenged before the ECJ in a timely manner. The question is how quickly a “Schrems III” verdict can be expected. Safe Harbor was in place for 15 years, the first lawsuit against the Privacy Shield was filed a month and a half after publication, and was repealed around four years later.

The announcement of the TADPF does not yet ensure legal certainty for companies. It is still necessary to secure transatlantic data transmissions with the existing means (e.g. SDK). The SDK, which was published last year and is now modular, is currently being used by many companies – for contracts with service providers and customers or for intra-group data transfers. Since autumn 2021, only the new SDK may be used for new contracts, for old contracts until December 27, 2022. This deadline should be kept in mind, because regardless of the implementation of the TADPF, it is advisable for EU companies to use SDK with US -Company – because the risk of a “Schrems III” verdict is high and you are better armed with the SDK.