Transfer of personal data EU/US: towards a solution?

Since the Schrems II ruling in July 2020, the transfer of personal data between the European Union and the United States has been in a deadlock. On March 25, 2022, the European Commission and the United States announced that they had reached a preliminary agreement on a new legal framework for the transfer of personal data from the European Union to the United States. A potential resolution now seems to be emerging for businesses facing this "legal headache."

Schrems II : invalidation du Privacy Shield

Back in July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, which had previously governed personal data transfers between the EU and the US. It ruled that the data transfer instruments listed in Article 46 of the General Data Protection Regulation (GDPR) were insufficient on their own to regulate such transfers.

Under Article 46 of the GDPR, personal data transfers can only occur if an adequacy decision recognizes that the third country provides an adequate level of protection. If there is no adequacy decision, the transfers are governed by appropriate safeguards such as Binding Corporate Rules (BCR), Standard Contractual Clauses (SCC), codes of conduct, etc.

Consequently, businesses wishing to transfer personal data to the US must, in addition to implementing appropriate safeguards, demonstrate the adoption of additional contractual, technical, and organizational measures. However, no additional measure has been deemed sufficient so far due to the surveillance carried out by US intelligence services, which significantly complicates cross-border data flows.

New Agreement in Principle for Personal Data Transfers

On March 25, 2022, the European Commission and the US announced that they had agreed on the principles of a "new transatlantic framework for personal data protection," specifically for transferring personal data from the European Union to the United States.

This is currently only an agreement in principle, but some key elements were communicated by the European Commission, including:

• New rules and safeguards to ensure that surveillance activities are necessary and proportionate to the pursuit of national security objectives, as required by the GDPR.
• The creation of an independent two-level complaint mechanism to handle complaints from Europeans regarding US intelligence services’ access to their data, along with a dedicated tribunal.
• The introduction of obligations for businesses handling personal data transferred from the EU, including the requirement to certify adherence to the principles outlined.
• The establishment of procedures for effective monitoring of the new standards and new review mechanisms.

This agreement in principle should pave the way for a new adequacy decision, which would make data flows secure and sustainable.

Caution from the European Data Protection Board (EDPB) : The European Data Protection Board (EDPB) expressed caution in its statement on April 6, 2022. It warned that this agreement must be translated into concrete legal proposals that meet European requirements to be validated. The European Commission will need to seek the EDPB’s opinion before adopting a potential new adequacy decision recognizing an adequate level of data protection.

The key question remains whether the legal proposals will satisfy the EDPB’s requirements, which would lead to the adoption of a new adequacy decision.

RSM’s Advice : This agreement in principle does not yet constitute a legal framework until a formal agreement is finalized and enters into force. RSM advises its clients to ensure that data hosting is conducted within the EU, with no possibility of transfer to the United States. If necessary, companies should regulate any data hosting or transfers to the US by applying strengthened measures and safeguards for the protection of personal data.