The topic of the processing of non-EU data has recently been improved by two important novelties: one of immediate application and another that will require full legal ratification, but both of which are being evaluated with attention by experts.
1. Guidelines EDPB n. 4/2021
On February 22, 2022, guidelines no. 4/2021 were finally adopted by the European Data Protection Board ("EDPB") , which relate to the requirements that a code of conduct pursuant to art. 40, paragraph 2, of the GDPR must meet in order to be used as an adequate assurance tool for the transfer of personal data to a non-EEA country.
First of all, it should be noted that codes of conduct can be drawn up by associations representing categories of data controllers or data processors (for example, trade associations or sectoral organizations).
In order to assess compliance with the rules of the code of conduct, a supervisory body accredited by the competent supervisory authority (National Supervisory Authority) should be identified.
The code of conduct drawn up in such a way may be used to write contractual agreements for the transfer of data, which will have to include certain necessary content, such as:
2. Agreement UE/USA: il Trans-Atlantic Data Privacy Framework
The European Commission and the United States have recently made an announcement that they have reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework for the transfer of data from Europe to the US.
While reiterating that as of today a valuation on the matter is not possible, the settlement in principles could represent an important milestone in overcoming the regulatory vacuum and operational uncertainty, the main effects of the July 2020 Schrems II decision, which famously invalidated the operation of the Privacy Shield.