One Move Ahead

Legal & Tax Alerts

Transatlantic Exchanges of Personal Data

Publication: ZRVP

The European Union (“EU”) legislation, distinctly from the United States (“US”) legislation, tackles privacy and data protection under its core fundamental rights, guaranteed by the European Charter of Fundamental Rights. In this context, to ensure an adequate level of protection for European individuals, a straightforward legal framework on transatlantic data transfer is desired at the European level.

While the first attempt to ensure such safeguards was the U.S. Privacy Shield, further invalidated by the Court of Justice of the European Union (“CJEU”) on 16 July 2020, in the Schrems II case, the European Commission has recently published a draft adequacy decision (‘Draft Decision’) which includes annexes constituting a new framework for transatlantic exchanges of personal data, the EU-U.S. Data Privacy Framework (“DPF”).

Considering that DFP Principles comprehend many of those set by the previous legal framework, after its assessment of the Draft Decision, EDBP issued its opinion (the “Opinion”) which tends to focus on specific aspects in view of the evolution of the legal and technological environment.

As a starting point, EDBP highlights that the overall Draft Decision might be difficult to understand by those to whom it is addressed. Hence it identified the need to include key definitions such as ’different purposes’, ‘materially different’ purposes, or ‘a use that is not consistent with’ to avoid potential legal uncertainty.

Regarding individuals’ right of access, EDBP noted few aspects which should establish a proper obligation to answer requests from individuals each time their personal data is processed rather than only when such data is stored by an entity.

Moreover, related to the onward transfer, EDBP considers there should be a proper level of protection set by the third country’s national legislation which should be applicable to the recipient of data transferred to allow for continuous protection of personal data. To settle a mechanism which would benefit individuals, EDBP asks for clarity related to the safeguards imposed by the initial recipient on the importer in the third country which must be effective in light of third-country legislation, prior to an onward transfer.

Another aspect tackled by EDBP refers to bulk data collection which, according to the Opinion, could present more threats for individuals’ rights than targeted collection of data, in which case additional safeguards should be ensured. One major point emphasized that currently DPF does not imply for a prior authorization from any authority when bulk data is collected.

While many benefits related to transatlantic data transfer legal framework have been identified by EDBP, especially related to the introduction of the principles of necessity and proportionality, however, many key aspects might still be improved before adopting a binding European privacy framework.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.