What does GDPR say about processing of personal data?
The processing of personal data and their transfer abroad are among the most important issues regulated by the GDPR, since outside the EU don’t exist safeguards equal to the ones guaranteed by the European lawmaker.
EU Regulation number 679 of 2016, in fact, indicates that the transfer of the data to third countries can only take place in compliance with the rules of adequacy: in other words, the European Commission must acknowledge that the country in which the data are assigned complies with the standards set by the Community laws in matter of data protection.
On the other hand, the transfer is allowed if the data controller or processor provides proper guarantees, or if specific conditions exist as illustrated in the art. 49 from EU reg. n.679 of 2016 (for example: the interested side agreed after reading a disclosure which lists the risks associated with the transfer of personal data in the absence of guarantees).
In order to ensure the security of data moved abroad, as arranged by the judgment of the Court of Justice of the European Union (Schrems II), the European Commission and the United States have reached an agreement on a new Trans-Atlantic Data Privacy Framework which will make transatlantic data flows easier.
How does the processing of personal data change with the Trans-Atlantic Data Privacy Framework?
The Trans-Atlantic Data Privacy Framework is an important signal that shows a commitment with no equals in history by the United States to make reforms that will strengthen the protections of privacy and citizens liberties which can be applied to United States signals intelligence activities.
According to the agreement, in fact, the USA will have to implement new measures to:
- Ensure that supervision activities are necessary and balanced to the pursuit of defined national security goals;
- Establish an independent two-level redress mechanism and an authority to identify direct measures to remedy;
- Improve the supervision of intelligence activities to make sure a clear and effective control of the new standards in terms of privacy treatment.
The Trans-Atlantic Data Privacy Framework is the result of more than a year of negotiations between the European Union and the United States and intends to provide a solid and lasting way for transatlantic data flows, which are essential to protect citizens’ rights and enable trade in all sectors of the economy, including small and medium-sized companies.
The new framework promotes an inclusive digital economy in which everyone can be part of and in which all companies can thrive and reinforce cooperation between the United States and the European Union, including through the Trade and Technology Council and multilateral forums about digital policies, such as the Organization for Economic Cooperation and Development.
Therefore, the goal of the Trans-Atlantic Data Privacy Framework is to establish the principles which transfers of personal data from Europe to the USA must be compliant with, defining new rules to guarantee the same level of privacy protection and data treatment between the USA and EU.
What are the key principles of the Trans-Atlantic Data Privacy Framework?
Let’s find out what are the most important aspects of the new framework shared between the EU and the US:
- Data may be freely and safely transferred between the EU and participating US companies;
- A series of mandatory rules and guarantees will be defined to limit access to personal data by US intelligence authorities, considering only what’s strictly necessary to really protect national security. US intelligence agencies will also need to adopt procedures to ensure effective oversight of the new privacy standards;
- A new two-levels judgment system is set to resolve European citizens’ complaints about access to data by US intelligence authorities, including a Data Protection Review Court;
- Strict obligations will be defined for companies processing personal data transferred from the European Union and will be needed a compliance self-certification related to make sure the adoption of such Principles through the United States Department of Commerce;
- Specific monitoring and review mechanisms will have to be implemented.
What will be the benefits of the new framework?
Here are the key benefits of the Trans-Atlantic Data Privacy Framework:
- Proper data protection of European citizens moved to the United States, in response to the judgment of the European Court of Justice (Schrems II);
- Safe and secure data streams;
- Longlasting and reliable legal basis;
- Competitive digital economy and economic cooperation;
- Continuous data flows, driving €900 billion of cross-border trade every year.
The next steps: what will happen next?
The next step will be turning the agreement into a concrete legal document. The US commitments will be included in an executive order that will form the foundation of a draft adequacy decision by the Commission for making the new transatlantic data privacy framework possible.
