Privacy Plus+

Privacy, Technology and Perspective

Cross-Border Data Transfer Update – New Trans-Atlantic Data Privacy Framework and UK’s International Data Transfer Agreement.  This week, personal data transfers are in the news as leaders from the United States and the European Union have announced an “agreement in principle” to, among other things, “enhance” the now-defunct Privacy Shield framework, and (separately) the United Kingdom’s International Data Transfer Agreement has taken effect.  Highlights follow:


U.S.-E.U. “Agreement in Principle” for Trans-Atlantic Data Privacy Framework:  During a press conference from Brussels on Friday, President Biden and European Commission President Ursula von der Leyen announced an “agreement in principle on a new framework for trans-Atlantic data flows.”  While details of the agreement have not been specified, Biden stated, “Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy.” He added, “This framework underscores our shared commitment to privacy, data protection, and the rule of law. And it’s going to allow the European Commission to once again authorize trans-Atlantic data flows that facilitate $7.3 trillion in economic relationships with the EU.” A link to the press conference follows:   

The White House has also published a “fact sheet,” which is available at the following link:

This news is welcome to those companies struggling to reconcile the continued divergence between the U.S. and E.U. data protection laws. 

Unsurprisingly, however, privacy activist Max Schrems – whose legal challenges led to the demise of previous agreements in the Schrems I and Schrems II decisions – is not impressed.  In a press release also released on Friday, Schrems says he expects to challenge this agreement as well, as he expects it will not curb U.S. surveillance agencies’ activities adequately (in his view).  You can read more about Mr. Schrems’ reaction at this link:

UK’s International Data Transfer Agreement. Following consultation by the Information Commissioner’s Office (ICO) last year, the UK International Data Transfer Agreement (IDTA) became effective on March 21, 2022.   In many ways, the IDTA is analogous to the European Commission’s Standard Contractual Clauses (SCCs), each designed to facilitate data transfers from respectively the U.K. and the EEA to “third countries” (i.e. countries/territories that have not been determined to provide an adequate level of protection of personal data).  ICO has published extensive guidance on the new IDTA, which is available at the following link:

Companies transferring personal data regulated under the UK GDPR will need to utilize the IDTA or the related Addendum to the SCCs to maintain compliance.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.