On 25 March 2022 the European Commission announced, that the EU and the US reached an agreement in principle for a new Trans-Atlantic Data Privacy Framework. The new framework would be a replacement for the the old EU-US Privacy Shield and the even older Safe Harbor framework, both of which had been declared invalid by ECJ rulings. The conclusion of a new agreement would again allow European companies to transfer personal data to the USA without having to deal with the restrictions in art. 45–49 GDPR.
The original two agreements between the EU and the US were declared invalid by the ECJ because US intelligence agencies may access data without EU data subjects having a legal remedy against this access. According to the information now available, the US government has agreed to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security. There is a risk that the ECJ will not consider these limitations to be sufficient, and that a new agreement will only lead to yet another Schrems decision (Schrems III?). However, this question will remain unanswered for some time until the ECJ issues a subsequent ruling. Until then, the future agreement – if it is definitely concluded – should bring significant relief for European companies in their dealings with US service providers. It is quite conceivable that Switzerland will conclude an analogous agreement with the US, as was already the case with the Swiss-US Privacy Shield. This would also allow Swiss companies to use US service providers relatively freely.