On the 25 of March 2022, the European Commission and the United States of America government have announced that an agreement in principle on a new Trans-Atlantic Data Privacy Framework (“Framework”) has been reached. The Framework, once adopted, will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”), in the Schrems II decision of July 2020, which declared the invalidity of the “Privacy Shield” mechanism adopted for data flows between EU and US (an earlier contribution providing clarifications and new measures after the “Schrems II” judgement was published on our TMT Data Protection Observatory and is available here). As also declared by the competent authorities, the commitment on the US side, on which has been based the agreement on principle for the adoption of the new Framework, is to implement reforms and adequate measures for the privacy and the protection of personal data of individuals in the European Economic Area (“EEA”) when their data are transferred to the US. Specifically, the new Framework reflects more than a year of negotiation between EU and US and takes into account the CJEU considerations and concerns raised in the Schrems II decision (namely, the US legislation did not meet the requirements of the EU law and did not grant data subjects enforceable legal rights against the US authorities). In particular, the Framework shall ensure (as indicated in the Factsheet Trans-Atlantic Data Privacy Framework): On the 6 of April 2022, the European Data Protection Board (“EDPB”) issued the Statement 01/2022 where welcomed the Framework. Notably, the EDPB recognises the commitment of the United States highest authorities to establish measures to protect the data of EEA-based individuals when transferred to the US. However, it is worth noting that, since the Framework will now be translated into legal documents, the EDPB, in its Statement, declares that it “will examine how this political agreement translates into concrete legal proposals to address the concerns raised by the Court of Justice of the European Union (CJEU) in order to provide legal certainty to EEA individuals and exporters of data”. Specifically, for issuing the adequacy decision for the Framework, the European Commission must follow a multi-step process: following a written proposal drafted by the European Commission, the EDPB will review and issue an opinion concerning such proposal. In any case, the EDPB also specifies that the announcement of the European Commission and United States does not constitute a legal framework on which data exporters can base their data transfers to the US. Indeed, during any transfer, at this time, they must continue to comply with the principles outlined in the CJEU decision in Schrems II. Reminder: How EU data exporters can transfer data to the United States? In the context of the Schrems II decision, the CJEU reminded that the protection granted to personal data in EEA must travel with the data, notwithstanding where such data is transferred, and that the level of protection in third countries does not need to be identical to that guaranteed in the EU, but it must be essentially equivalent. Subsequently, as recalled in the EDPB’s FAQ adopted on the 23 of July 2020, in the absence of a decision pursuant to Article 45 of the Regulation (EU) 2016/679 (“GDPR”) or of appropriate safeguards pursuant to Article 46 of the GDPR, according to Articles 46 and 49 of the GDPR, data exporters may transfer data to the US by adopting other mechanism. Specifically, a transfer to a third country (or an international organisation) can only take place if EU data exporter has provided appropriate safeguards and if data subjects have enforceable rights and effective remedies (as provided in Article 46(1) and (2)(c) of the GDPR). The appropriate safeguards may be provided for, without requiring any specific authorisation from a supervisory authority, by, among others, Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”). The CJEU upheld the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses, as a transfer tool that may serve to ensure contractually and essentially equivalent level of protection for data transferred to third countries, provided that the underlying transfers must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected. On this regard, with reference to both the SCCs and the BCRs, the CJEU pointed out that: On the 4 June of 2021, the European Commission published its final Implementing Decision adopting new standard contractual clauses for the transfer of personal data to third countries (“New SCCs”). New SCCs follow the draft decision published on the 12 of November 2020 and, among others, respond to the Schrems II decision. The New SCCs set out a process whereby the parties to the SCCs must undertake a transfer impact assessment and document the outcome, but provide no real guidance on what the outcome of that process should be. On this regard, taking into consideration the necessity of carrying out a transfer risk assessment, the EDPB, with Recommendations 01/2020 “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” published on the 10 of November 2020 and, then, adopted on the 18 of June 2021, has laid out a roadmap to help exporters in the phase of assessment of third countries level of protection and, where needed, in the identification of supplementary measures that must be put in place for certain data transfer. The roadmap comprises the following six steps: Moreover, according to Article 49 of the GDPR, it is still possible to transfer data from the EEA to the US only if at least one of the conditions set out in the par. 1 is met. Specifically, in the event that the transfers are: Furthermore, the EDPB on the 10 of November 2020 also adopted the Recommendations 02/2020 “on the European Essential Guarantees for surveillance measures” that provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be considered justifiable interference or not. On this regard, surveillance measures are considered justifiable with the following requirements: In view of all of this, data exporters still have the chance to transfer data from the EEA to the US, but they must comply with the principles outlined in the CJEU decision in Schrems II and, in particular, with the above provisions, while waiting for the European Commission and the United States government to translate the new Framework into legal documents that will need to be adopted on both sides.