Search
Contact
28.03.2022 | KPMG Law Insights

Trans-Atlantic Data Privacy Frame-work: Old wine in new bottles?

On March 25, EU Commission President Ursula von der Leyen and U.S. President Joe Biden officially announced that the EU and the U.S. want to facilitate transatlantic data exchange and are working on drafting a successor agreement to the “EU-US Privacy Shield.” The Commission has now published an information paper with the first details of the content of the “Trans-Atlantic Data Privacy Framework”.

 

  • The U.S. holds out the prospect of creating a new set of rules and binding safeguards to limit U.S. intelligence agencies’ access to data to what is necessary and proportionate to protect national security. Specifically, U.S. intelligence agencies are to implement procedures to ensure effective oversight of the new privacy and liberty standards.

 

  • A new, two-tiered redress system to investigate and remedy complaints by EU citizens regarding data access by U.S. authorities is to be introduced. An independent “Data Protection Review Court” is to be established for this purpose.

 

  • The Trans-Atlantic Data Privacy Framework will – again – be based on a system of self-certification by U.S. companies under the supervision of the U.S. Department of Commerce.

 

Next steps

Concrete legal obligations must now be formulated from the agreed principles. These are then to be issued within the framework of an “Executive Order”, which obliges the US authorities to implement them. The Executive Order is intended to form the basis for the Commission’s draft adequacy decision. With each of these steps potentially taking months, it is still entirely unclear when (if ever) an adequacy decision can be expected. However, a short-term solution to the problem of transatlantic data traffic seems impossible. Last but not least, Max Schrems – lawyer and data protection activist – has already announced that, as in the “Safe Harbour” and “Privacy Shield” cases, he will also take timely action against future adequacy decisions if they do not comply with European Union law.

 

Doubts about compliance with European data protection standards

The news about a planned successor agreement to the “Privacy Shield” is encouraging due to the increasing relevance of transatlantic data exchange. However, not too many hopes should be placed in the “Trans-Atlantic Data Privacy Framework” just yet. Under no circumstances should processes already initiated to secure U.S. transfers be stopped.

The principles proposed by the EU and the U.S. do take up specific points of the ECJ’s Schrems II decision, in that legal protection options are to be improved and complaints by those affected are to be decided by an independent body.

However, crucial questions remain unanswered. For example, whether there will be any obligation at all on the part of U.S. authorities to inform EU citizens about data access. Furthermore, it remains to be seen whether the powers of the Data Protection Review Court vis-à-vis U.S. authorities will also be sufficient to enforce compliance vis-à-vis U.S. authorities.

Another major criticism of the ECJ with respect to the predecessors of the proposed Trans-Atlantic Data Privacy Framework was that Section 702 of the Foreign Intelligence Surveillance Act (FISA) did not impose restrictions on surveillance activities or provide other safeguards for non-U.S. citizens. In response to this, surveillance measures are to be carried out in the future only if this is necessary to protect national security and appropriate with regard to the intrusion into privacy. However, past experience has shown that there are sometimes different understandings in the EU and the U.S. regarding the value of privacy rights and national security, and balancing the positions involves some challenges. The introduction of an adequacy test on the U.S. side is an essential and important step, although the actual implementation will only show whether sufficient account is taken of the restriction on the access rights of the U.S. authorities previously demanded by the EU.

 

Keep calm and stay on course

Efforts to officially regulate transatlantic data sharing on the basis of an adequacy decision could mean major benefits for all stakeholders, as this would allow data to be transferred without the need to enter into standard contractual clauses, which have since become complex, and to conduct time-consuming and costly transfer impact assessments. However, a “Privacy Shield 2.0” and the associated uncertainties must be prevented, because what companies need above all else is legal certainty; and they need it in the long term. In this regard, it remains to be seen how the U.S. will implement the announced measures and how the EU courts will assess this. It therefore remains essential for European companies to take individual measures to comply with data protection requirements when using U.S. providers and to work overall on maintaining their compliance with regard to data transfers to the United States.

 

Explore #more

10.10.2025 | In the media

KPMG Law guest article in NZG: Compliance due diligence in SMEs: Minimum scope and contractual mapping of compliance risks of the target company

In the context of M&A transactions, compliance usually still plays a subordinate role in legal due diligence. The purpose of this article is, on…

10.10.2025 | In the media

KPMG Law honored at the M&A Award Night 2025

KPMG Law has been awarded the “M&A Transaction Advisory” prize at this year’s M&A Award Night of the Bundesverband Mergers & Acquisitions e.V. (BM&A) and…

10.10.2025 | In the media

KPMG Law guest article in CCZ: The guide for compliance management systems in small and medium-sized enterprises (DIN SPEC 91524)

Compliance in SMEs is challenging: the legal responsibility for compliance is undisputed, but the specific tasks are unclear and depend on the specific situation of…

10.10.2025 | KPMG Law Insights

Transformation in legal departments in 2026 – the most important trends and best practices

Three topics in particular are currently driving the transformation of the legal department: AI, the rapid increase in regulation and geopolitical developments. There has always…

08.10.2025 | Deal Notifications

KPMG advised Adiuva Capital GmbH with Fact Books on the sale of KONZMANN Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Adiuva Capital GmbH, a Hamburg-based private equity firm (“Adiuva“), in connection with the…

06.10.2025 | KPMG Law Insights

What the Green Claims Directive means for companies – an overview

With the Green Claims Directive, the EU will introduce extensive regulations on the requirements for permissible environmental claims. The aim is to prevent greenwashing so…

03.10.2025 | Deal Notifications

KPMG Law and KPMG support the restructuring of Groupe CAT in Germany

KPMG Law Rechtsanwaltsgesellschaft (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Groupe CAT on comprehensive restructuring measures with a cross-service team. Over a period of…

02.10.2025 | Deal Notifications

KPMG Law advises Epitype GmbH and MDG Molecular Diagnostics Group GmbH on the acquisition of significant assets of oncgnostics GmbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) provided comprehensive legal advice to Epitype GmbH, a company of the Dresden-based MDG Group, on the formation and subsequent…

02.10.2025 | In the media

KPMG Law Statement in ZEIT for entrepreneurs: We’ll take the 500 billion!

German construction companies are asking themselves: how quickly will the money come from the government? And they are worried that only the giants will benefit.…

01.10.2025 | KPMG Law Insights

Federal Network Agency reforms special network charges for industry and commerce

The Federal Network Agency is planning a fundamental reform of the special network charges for energy-intensive companies. Any change to the current privilege regime entails…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll