What are the expected impacts for the financial Institution?
The US government and the EC will now continue their cooperation and transform the agreement in principle into a legal agreement. The Executive Order to be adopted by the US side will be the basis for the adoption of an adequacy decision pursuant to Art. 45 GDPR by the EC. The U.S. commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put in place the new Trans-Atlantic Data Privacy Framework.
Furthermore, as long as no adequacy decision has been adopted by the EC, the conclusion of standard contractual clauses and the necessary implementation of a transfer impact assessment remains the only way to transfer personal data to the US on a regular basis.
In this context, The European Data Protection Board recommends to banks, financial institutions, and insurance companies to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. Among these recommendations, we can already highlight the performance of regular audits of strong disciplinary measures, that should be in place to monitor and enforce compliance with the data minimization measures in the transfer context and the performance of assessment of the personal data before the transfer takes place, in order to identify those sets of data that are not necessary for the purposes of the transfer and, therefore, won’t be shared with the data importer.
In any case, caution should be observed in this regard as in case of illegal transfer, the Data Protection Authority can require infringers to comply and, if necessary, impose administrative fines of up to 20 million euros or 4% of the company's total revenue. Criminal penalties may also be pronounced.