Privacy – European Commission and the United States Announce Trans-Atlantic Data Privacy Framework
By Mariano Peruzzotti and Andrea Sanchez Vicentini.
On March 25, 2022, the European Commission (“EC”) and the United States announced that they have reached an agreement on a new Trans-Atlantic Data Privacy Framework that would allow the international transfer of personal data.
The agreement seeks to encourage transatlantic data flows and addresses the concerns raised by the EU Court of Justice in the Schrems II decision of July 2020. In such ruling, the Privacy Shield was declared an invalid mechanism to transfer personal data from the European Union to the United States.
The new framework involves a commitment of the United States to implement amendments that will strengthen the privacy rights and civil liberties applicable to United States’ intelligence and surveillance activities.
The key principles of this framework are the following:
- Personal data can be freely and safely transferred between the EU and participating United States companies.
- A new set of rules and binding safeguards will be implemented to limit access to data by United States surveillance and investigation authorities;
- United States intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
- A new two-tier redress system to investigate and resolve complaints of Europeans on access of data by United States intelligence authorities, which includes a Data Protection Review Court, will be adopted.
- Strict obligations are imposed to companies processing data transferred from the EU.
- Specific monitoring and review mechanisms.
Both parties will continue working towards the execution of the relevant agreements and legal statutes.
In the case of Argentina, it is one of the few jurisdictions that have been declared by the EC as adequate jurisdictions for the international transfer of personal data from the EU. The adequacy decision is currently being reviewed by the EC pursuant to the EU General Data Protection Regulation.
The Agency for Access to Public Information (AAPI), controlling authority of Personal Data Protection Law No. 25,326 (PDPL), has listed the countries considered adequate for international transfers. The list includes EU Member States but not the United States. To validly transfer personal data to the United States, the parties must rely on (i) an international data transfer agreement; (ii) Binding Corporate Rules, (iii) the data subjects´ consent; or (iv) one of the exceptions (derogations) provided by the law.
For further information contact: mperuzzotti@ojambf.com.