European Data Protection Board issues statement on the proposed new framework for US data transfers
In a statement issued earlier this month (6 April 2022), the European Data Protection Board (EDPB) has stated that it welcomes the announcement of a new political agreement between the European Commission and the United States in relation to personal data transfers between the two territories.
The EDPB confirms its commitment to examine how this political agreement translates to more defined legal proposals to address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II case in 2020.
The GDPR requires that the European Commission seeks an opinion from the EDPB before adopting a possible new adequacy decision recognising as satisfactory the level of data protection guaranteed by the US.
Why it matters
Since the Schrems II decision and the invalidation of the EU-US Privacy Shield, businesses have struggled to easily transfer personal data from the EU to the US (and vice versa).
The newly proposed Trans-Atlantic Data Privacy Framework (TADPF) seeks to address this gap and allow businesses to easily transfer personal between the two territories.
However, the proposals are still at the very early stages and will require review from the EDPB.
In the meantime, organisations should continue using Standard Contractual Clauses and the addition of supplementary security measures to ensure personal can still flow between the EU and the US.
Following Brexit, the UK is likely to forge its own path in the future in relation to UK-US data transfers.
OECD negotiations continue in relation to how national security agencies can access personal data
Policymakers from the EU, US, UK and other similar countries within the OECD have been meeting to discuss new ways forward in developing an international framework that would define how national security agencies can access people’s information.
Disagreements currently exist in relation to the scope of the proposed pact, with the EU favouring a more non-specific approach that encompasses all forms of government access to data such as for monitoring tax avoidance.
If finalised and settled upon, the agreement between OECD partners on the principles of government access may help unblock many of the issues currently facing EU-US data transfers from a GDPR-perspective.
Why it matters
Since the invalidation of the EU-US Privacy Shield in 2020, the key argument preventing EU organisations from transferring personal data to the US has been the ability for US government authorities to be able to disproportionality access transferred personal data for suspected national security concerns without the ability for EU residents to formally appeal against the decision in a legal forum (such as a court).
If countries start following a common set of standards set by an OECD mandate, this may alleviate concerns that US government authorities can (and will) access personal data from the EU in a non-discriminative and privacy-intrusive way.
How will the new EU data sharing law boost innovation and the use of big data?
The Data Governance Act, adopted by the European Parliament in April 2022, aims to boost data sharing in the EU so that organisations will have access to more data that they can use to innovate and develop new products and services.
Potential industries that can benefit include the energy sector, manufacturing and technology.
The new rules will allow data collected in some areas of the public sector to be better used via the creation of common ‘data spaces’ and ‘data marketplaces’.
Why it matters
The Data Governance Acts exists alongside the EU GDPR and does not create exceptions to data protection.
However, it does promote the sharing of data within the public sector through various methods such as ‘data spaces’ and ‘data marketplaces’ where online platforms can buy or sell data.
The intention is to promote innovation by unlocking the hidden value of data within the public sector and using it to promote economic growth.
Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7826
Lindsey has a strong track record in providing risk advisory services with a focus on governance, regulatory compliance, conduct and culture, data protection, and third-party assurance. He helps organisations successfully address governance, risk management and compliance challenges.
To discuss how the areas highlighted, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.