Considerable doubts
The exchange of personal data between the U.S. and the EU is to be put back on a legally secure footing. At least, that's what policymakers are planning. After the European Court of Justice (ECJ) declared the EU's data protection agreement with the USA (Privacy Shield) invalid two years ago, EU Commission President Ursula von der Leyen announced a new approach in March 2022: the Trans-Atlantic Data Privacy Framework. Such a new data protection agreement is urgently expected by the European business community. But will the planned "Privacy Shield 2.0" really create legal certainty? Admittedly, the concrete agreement is not expected until fall 2022 at the earliest.
However, it can already be said that it is questionable whether a new data protection agreement will meet the strict requirements of the EU GDPR. The reason is simple: The U.S. legal system would have to be significantly changed to meet the requirements of the EU GDPR. It is very doubtful that the United States will change its attitude to mass surveillance and its weighting of the fundamental right to informational self-determination in the short term. There are no signals of this at present.
On the contrary, the so-called Section 702 of the U.S. intelligence law, "Foreign Intelligence Surveillance" (FISA), was only recently extended. With this very law, U.S. law grants national security authorities far-reaching access powers to personal data stored or transmitted by organizations. Intelligence agencies, such as the NSA, are allowed to analyze communications data of so-called non-US persons collected by US companies - without concrete suspicion and without a corresponding court order. This is in blatant contradiction to the EU GDPR.
The ones to suffer are the European companies. Since the start of the corona pandemic, they now need legal certainty for their digitization strategies and home office reality when using cloud and collaboration systems such as Microsoft Teams and SharePoint Online. Legal certainty is only possible with a technical solution that decouples sensitive data from the work processes and service offerings of non-European cloud providers.