The impact of the Trans-Atlantic Data Privacy Framework on data transfer

Trans-Atlantic Data Privacy will require an assessment of data sharing practices for Financial Institution who wish transfer data to US again.

Schrems II annuls the Privacy Shield and complicates the data transfer to the EU Financial Institution from the US.

On 16th of July 2020, the CJEU  issued a judgement known as Schrems II concerning the data transfer regime between the European Union and the US.   

By the Judgment, the CJEU declared invalid the Privacy Shield adequacy decision adopted in 2016 by the European Commission (the EC) , which allowed data transfer between the EU and US operators adhering to its data protection principles without further formality.

The CJEU concluded that the Privacy Shield was incompatible with the GDPR. Furthermore, no appropriate legal remedies had been provided to the data subjects.

Nevertheless, the CJEU confirmed the validity of the European Standard Contractual Clauses (the ‘SCCs’) for the data transfer to processors established in third countries. However, the Judgment emphasizes the specific obligations imposed by the SCCs, not only on the exporter but also on the data importer to assess whether the foreign recipient (including subsidiaries, parent companies and third-party service providers) can meet the requirements of the SCCs in practice. If not, the data exporter will not be able to enter into a relationship or will have to suspend or even terminate the contract. The national supervisory authorities must take action if they deem it necessary.

Future Perspective: Adoption of the Trans-Atlantic Data Privacy Framework

On the 15th of March 2022, the European Commission and the US announced that they had agreed in principle on a new Trans-Atlantic Data Privacy Framework, which will regulate trans-Atlantic data flows and address the concerns raised by CJEU in the Schrems II decision. The purposes of this agreement are to strengthen privacy and civil liberties protection from US signals intelligence activities as well as to establish a mechanism with independent and binding authority.

According to the factsheet of the European Commission, the Trans-Atlantic Data Privacy is built on the following key principles:

• Personal data will be able to flow freely and securely between the EU and the participating US companies.
  
  
• A new set of rules and binding protective measures are to restrict the access of the US intelligence services. This ensures that access takes place only if it is necessary and proportionate to ensure national security, without disproportionately affecting the rights and freedoms of individuals. Procedures are being established to ensure effective monitoring of the new standards.
  
  
• A new two-tier redress system will ensure that complaints from EU citizens about access to data by US intelligence services are investigated and dealt with. A new and independent Data Protection Review Court is being set up for judicial review.
  
  
• There are strict obligations for US companies that process data transferred from the EU. This includes, in particular, the obligation to confirm compliance with the agreement to the US Department of Commerce by means of self-certification.
  

This Transatlantic Data Protection Framework is the result of over a year of detailed negotiations between the US and the EU. It is intended to provide businesses involved in the transfer of personal data with a sustainable basis for transatlantic data flows. The European Commission has already announced that this new framework "will promote an inclusive digital economy in which all people can participate and in which companies of all sizes from all of our countries can thrive".

What are the expected impacts for the financial Institution?

The US government and the EC will now continue their cooperation and transform the agreement in principle into a legal agreement. The Executive Order to be adopted by the US side will be the basis for the adoption of an adequacy decision pursuant to Art. 45 GDPR by the EC. The U.S. commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put in place the new Trans-Atlantic Data Privacy Framework. 

Furthermore, as long as no adequacy decision has been adopted by the EC, the conclusion of standard contractual clauses and the necessary implementation of a transfer impact assessment remains the only way to transfer personal data to the US on a regular basis.

In this context, The European Data Protection Board recommends to banks, financial institutions, and insurance companies  to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. Among these recommendations, we can already highlight the performance of regular audits of strong disciplinary measures, that should be in place to monitor and enforce compliance with the data minimization measures in the transfer context and the performance of assessment of the personal data before the transfer takes place, in order to identify those sets of data that are not necessary for the purposes of the transfer and, therefore, won’t be shared with the data importer.

In any case, caution should be observed in this regard as in case of illegal transfer, the Data Protection Authority can require infringers to comply and, if necessary, impose administrative fines of up to 20 million euros or 4% of the company's total revenue. Criminal penalties may also be pronounced.

Conclusion

The content of this legal framework has not yet been published, but we can certainly foresee that its impact will be for financial institutions to take action such as to implement new internal measures to terminate the potential suspension of the data transfer with US companies, as well as to review the temporary corrective measures adopted to compensate for the lack of a regulatory framework legitimizing the abovementioned transfer, notwithstanding the invalidation of the Privacy Shield.