Cross-border data processing: two important new developments

The topic of the processing of non-EU data has recently been improved by two important novelties: one of immediate application and another that will require full legal ratification, but both of which are being evaluated with attention by experts.

1. Guidelines EDPB n. 4/2021

On February 22, 2022, guidelines no. 4/2021 were finally adopted by the European Data Protection Board ("EDPB") , which relate to the requirements that a code of conduct pursuant to art. 40, paragraph 2, of the GDPR must meet in order to be used as an adequate assurance tool for the transfer of personal data to a non-EEA country.

First of all, it should be noted that codes of conduct can be drawn up by associations representing categories of data controllers or data processors (for example, trade associations or sectoral organizations).

In order to assess compliance with the rules of the code of conduct, a supervisory body accredited by the competent supervisory authority (National Supervisory Authority) should be identified.

The code of conduct drawn up in such a way may be used to write contractual agreements for the transfer of data, which will have to include certain necessary content, such as:

• A commitment by the importer to respect the code of conduct to which it has adhered,
• mechanisms to enforce such commitment in the event of violations by the importer;
• the existence of a right for data subjects whose personal data is transferred to enforce the rules of the code of conduct as "third-party beneficiaries;
• the possibility for the data subject to lodge a complaint (also of a compensatory nature), as a "third-party beneficiary", before a supervisory authority located in the EEA or before a court in his/her place of residence, in the event of violation of the rules of the code of conduct by the importer;
• the right of the exporter to enforce the rules of the Code of Conduct against the relevant importer as a "third-party beneficiary
• the importer's obligation to notify the exporter (and the latter's supervisory authority) of any breach of the Code of Conduct, as well as any corrective measures taken by the supervisory body in response to the notified breach.

2. Agreement UE/USA: il Trans-Atlantic Data Privacy Framework

The European Commission and the United States have recently made an announcement that they have reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework for the transfer of data from Europe to the US.

• A definite opinion on the agreement is premature (it will be necessary to wait for its transposition in the final legal text); certainly, however, it is already possible to foresee its potential relevance, since with it some important rules for cross-border data flows have been codified, such as for example
• A greater consideration, by the United States, of the principles of necessity and proportionality, cornerstones of the GDPR (see art. 5 GDPR);
• The implementation an independent two-step remedy mechanism; with binding authority to direct corrective measures; and improved rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities.

While reiterating that as of today a valuation on the matter is not possible, the settlement in principles could represent an important milestone in overcoming the regulatory vacuum and operational uncertainty, the main effects of the July 2020 Schrems II decision, which famously invalidated the operation of the Privacy Shield.