In July 2020, a transatlantic agreement on data protection – the privacy shield – was proposed and then invalidated by the Court of Justice of the European Union. After almost 3 years of absence of a defined legal framework, Ursula Von Der Leyen and Joe Biden signed an agreement in principle on a new text on March 25.
The question remains to this day whether this new proposal will meet the requirements of the CJEU and whether, finally, companies will be able to transfer data to the United States while ensuring their users the protection of their data.
North Korean Lazarus hackers stole 500 million euros worth of Ethereum
An expected transatlantic agreement
The President of the European Commission and the President of the United States have announced the signing of an agreement in principle concerning a new transatlantic legal framework. After the rejection of Safe Harbor and Privacy Shield, companies that transfer data from Europe to the United States find themselves in legal uncertainty, forcing them to use Standard Contractual Clauses (SCCs) until today. This is why this data protection agreement is so long awaited on our side of the Atlantic.
In his press release dated April 6, the EDPS (European Data Protection Board) warns, however, that this text will have to be translated into concrete legal proposals and meet European requirements for it to be validated.
Concrete legal proposals to ensure data protection
According to the GDPR, in order for this agreement to be put in place, it must be proposed and validated by the European Data Protection Board. It will start from the current case law of the CJEU and will develop it in order to shed light on certain gray areas that persist within the latter, preventing it from properly ensuring the protection of European Internet users. Remember that one of the main arguments put forward during the rejection of the last two proposals concerned access to personal data processed by companies and administrative authorities, considered incompatible with European requirements. The CJEU also raised concerns about US surveillance laws.
Ultimately, the proposals must guarantee a satisfactory level of data protection guaranteed by the US authorities.
Protect Internet users in the European Economic Area (EEA)
Given the amount of data that transits from Europe to the United States, it is essential that measures be taken to protect the privacy and personal data of individuals in the European Economic Area. The main purpose of this agreement will be to protect citizens on the one hand, and data exporters on the other. Therefore, the CJEU will ensure that the proposed legal framework ensures that the collection of personal data for national security is only used where necessary and in a proportionate way. It will also verify the extent to which independent redress mechanisms respect the rights of individuals in the EEA.
This new transatlantic agreement and its validation are particularly awaited by European companies since it will facilitate the transfer of data from one continent to another. It remains to be seen whether the concrete legal proposals will be able to respond to the concerns put forward by the CJEU and convince the EDPS.