PH FedACTion: Financial Regulatory Updates
EDPB issues Statement on the announcement of a new Trans-Atlantic Data Privacy Framework
By Sarah Pearce
The European Data Protection Board has spoken following the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework. In its formal statement, the EDPB “welcomed” the announcement but issued a firm warning that the agreement in principle remains just that - it does not constitute a legal framework on which data exporters can base their transfers to the United States. The EDPB reiterated the position following the CJEU Schrems II decision of 16 July 2020 and issued a reminder to organisations transferring personal data outside the EU to the US that they must continue to take the necessary measures to comply with the transfer requirements of the General Data Protection Regulation and the Schrems II judgment. The Board did, however, recognize the commitment of the U.S. authorities to implement ‘unprecedented’ measures to protect privacy and personal data as “a positive first step in the right direction”.
An opinion of the EDPB is required under the GDPR before any new adequacy decisions can be adopted. The Board has confirmed that, once in final form, it will consider how the agreement translates into “concrete legal proposals” to address the concerns raised by the CJEU in Schrems II. In particular, the EDPB will look to see how the proposed reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate; and to what extent the proposed independent redress mechanism gives EEA individuals’ the right to an effective remedy and to a fair trial.