On March 25, 2022, the European Commission and the United States announced that they have reached an “agreement in principle” on a replacement for the EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union in 2020.
The European Commission and the US have reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework (TADPF). Which will promote trans-Atlantic data flows and address concerns made by the European Union’s Court of Justice in the Schrems II judgment of July 2020.
After more than a year of negotiations between the U.S. and E.U., the Trans-Atlantic Data Privacy Framework was created. This framework will be essential for protecting citizens’ rights and allowing trans-Atlantic trade in various sectors. Increasing cross-border data flows will foster an inclusive digital economy that allows companies of all sizes to thrive.
In terms of next steps, the agreement in principle will now need to be translated into legal documents i.e., an Executive Order on the U.S. side, and an adequacy decision from the European Commission on the EU side.
According to President of the European Commission Ursula von der Leyen, The European Commission must protect EU citizens’ rights when their data is transmitted to the U.S. They also should balance the security and the right to privacy and data protection.
The new framework:
- Enables trustworthy data flows between the EU and the U.S.
- Safeguards privacy and civil liberties
Turn the provisional agreement
EU officials familiar with the matter said it will likely take months to turn the provisional agreement into a final legal deal.
“First, the U.S. needs to prepare their executive order, and then we need to do our internal consultation in the Commission and within the European Data Protection Board,” the official said, referring to the EU privacy watchdog.
Is the EU-US Privacy Shield GDPR-compliant?
As a consequence, transferring data from the EU to the US solely under the Privacy Shield principles is now not compliant with the GDPR, and a supervisory authority (data protection authority) could fine you for GDPR infringement.
Is the US EU Privacy Shield still valid?
As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
Amazon Web Services and the new framework
monday.com is a partner of Amazon Web Services (AWS) and hosts its user data in AWS data centers in the US and Germany.
AWS has announced that they “commit to undertaking certification in accordance with the Data Privacy Framework as it is adopted, and look forward to their users benefiting from the new safeguards.”
The Data Privacy Framework will take on additional safeguards to guarantee that US intelligence activities are confined to what is necessary and proportional to preserve national security, as well as a new redress channel for EU residents’ concerns.
AWS is in full support of the enhanced rules and regulations that improve privacy and security protections for organizations using the cloud technologies and want to have control of their data.
Summary
What can we conclude from this? Changes are on the horizon. But no new laws are here yet, only a “agreement in principle”. For now (May 2022), the safest bet is still to use a cloud services with in the EU if you have sensitive information about EU citizens.
Need to talk about your cloud security and monday.com, don’t hesitate to book a meeting with us.