New agreement on EU-US transatlantic data transfer

This agreement signed by the EC and the US government lays the new foundations for the flow of data between the EU and the US and comes after a year of negotiations, as a response to the invalidation of the Privacy Shield. The economic stakes are huge as transatlantic data flows represent nearly €900 billion every year.

It seems that the Cloud Trust Principles initiative has produced results. This initiative is supported by major global cloud players (Amazon, Google, Microsoft, IBM, SAP and Cisco) and aims to work with governments and institutions to organize the secure storage and processing of their customers' data.

New EU-US framework agreement

The European Commission and the United States announced on March 25 that they have reached an agreement on a new transatlantic data protection framework, which will promote transatlantic data flows and address concerns raised by the European Court of Justice in the 2020 Schrems II judgment. This agreement will now be translated into legal documents.

The U.S. commitments will be included in an executive order that will be used as a proposal for the Commission adequacy decision to establish the new transatlantic data protection framework.

Under the agreement, the U.S. will be required to put in place new safeguards to ensure that surveillance activities are "necessary" and "proportionate" to the pursuit of national security objectives; to establish a two-tiered independent complaint mechanism that supports remedial action; and to strengthen rigorous, prioritized oversight of intelligence activities to ensure compliancy with the surveillance activities.

The agreement follows more than a year of detailed negotiations between the United States and the European Union and was led by Secretary of Commerce Gina Raimondo and Justice Commissioner Didier Reynders.

What to keep in mind:

• Under this new framework, data will be able to flow freely and securely between the EU and participating U.S. companies, the EU and participating U.S. companies.

• A new set of " mandatory" rules and safeguards will be established to limit access to data by U.S. intelligence agencies to only what is necessary and proportionate to protect the national security.

• U.S. intelligence agencies will adopt procedures to ensure effective monitoring of the new privacy and civil liberties standards.

• A new two-tiered system of remedies will be establish to investigate and resolve complaints from Europeans about data access by U.S. intelligence agencies, thus including the establishment of a Data Protection Review Tribunal.

• Companies processing data from the EU will have to "self-certify" their adhesion to the principles of the agreement through the US Department of Commerce.

What does it means?

• Toward harmonization of data protection laws.

It is likely that Europe, which is very proactive in the field of data regulation, has been overwhelmed by a transatlantic agreement that is not particularly constraining for the U.S. and that is rather inspired by the EU free flow of data.

• Right to protect clients' interests

Cloud service providers should be given a clear procedure for contesting government requests to access their customers' data, including adhoc notification to the relevant data protection authorities. This will now be done through a two-tiered system of remedy, handle by a data protection tribunal, but with no specification of the authority that will handle this remedy process.

• Supporting business data flows controlled by public authorities

It appears that the European Free Flow of Data Act has inspired the US government to better negotiate the new transatlantic data framework agreement.

Indeed, the European law allows the availability of data for regulatory control by public authorities that may retain access to the data, even when it is located in another Member State or when it is stored or processed in the Cloud.