{"id":5609,"date":"2022-03-28T10:51:48","date_gmt":"2022-03-28T08:51:48","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=5609"},"modified":"2025-10-31T18:10:37","modified_gmt":"2025-10-31T17:10:37","slug":"weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/","title":{"rendered":"Weekly digest March 21 &#8211; 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts"},"content":{"rendered":"\n<h6 class=\"wp-block-heading\"><em>TechGDPR\u2019s review of international data-related stories from press and analytical reports.<\/em><\/h6>\n\n\n\n<h4 class=\"wp-block-heading\">Legal processes: new EU-US data transfer deal, Digital Markets Act, China\u2019s algorithmic rules<\/h4>\n\n\n\n<p><a href=\"https:\/\/www.reuters.com\/legal\/litigation\/eu-us-reach-preliminary-deal-avoid-disruption-data-flows-2022-03-25\/\">The EU and US have announced a new preparatory data transfer deal,<\/a> seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America\u2019s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission and within the EDPB. So far the White House has released a fact sheet on the new deal, which addresses the CJEU <a href=\"https:\/\/techgdpr.com\/blog\/international-transfers-personal-data-schrems-ii-ruling\/\">\u2018Schrems II\u2019<\/a> decision concerning US law governing signals intelligence activities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;<\/li>\n\n\n\n<li>EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and<\/li>\n\n\n\n<li>US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Earlier last week,&nbsp;EU privacy experts raised their concerns over <a href=\"https:\/\/noyb.eu\/en\/privacy-shield-20-first-reaction-max-schrems\">the lack of details of the deal.<\/a> Austrian privacy activist Max Schrems, who started a long-running dispute with Meta\/Facebook, (resulting in the invalidation of the EU-US Privacy Shield data transfer framework), stated: &#8220;The final text will need more time, once this arrives we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it.\u201d&nbsp; The legal stance over transatlantic data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as <a href=\"https:\/\/techcrunch.com\/2022\/03\/25\/eu-and-us-agree-data-transfer-deal-to-replace-defunct-privacy-shield\/\">Google Analytics, Google Fonts, and Stripe, along with long-standing and multilayered complaints against Meta\/Facebook<\/a>, TechCrunch sums up.<\/p>\n\n\n\n<p>Meanwhile, sweeping new digital <a href=\"https:\/\/www.reuters.com\/technology\/rules-against-us-tech-giants-come-into-force-october-eus-vestager-says-2022-03-25\/\">rules targeting US tech giants will likely come into force in October,<\/a> EU antitrust chief Margrethe Vestager informed. The rules proposed a year ago in the Digital Markets Act set out a list of dos and don&#8217;ts for Amazon, Apple, Meta, Google, Microsoft, and others. Fines for violations will range reportedly from 10% of a company&#8217;s annual global turnover to 20% for repeat offenders who could face an acquisition ban. Companies that are designated as online gatekeepers, (intermediation services, social networks, search engines, operating systems, advertising services, cloud computing, video-sharing services, web browsers and virtual assistants), which control access to their platforms and the data generated there will <a href=\"https:\/\/www.reuters.com\/world\/europe\/eu-countries-eu-lawmakers-clinch-deal-rules-rein-tech-giants-2022-03-24\/\">have six months to comply with the new rules<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>additional <a href=\"https:\/\/www.europarl.europa.eu\/news\/en\/press-room\/20211210IPR19211\/digital-markets-act-parliament-ready-to-start-negotiations-with-council\">requirements on the use of data for targeted or micro-targeted advertising and the interoperability of services<\/a>;&nbsp;<\/li>\n\n\n\n<li>gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage;&nbsp;<\/li>\n\n\n\n<li>ensures whistleblowers are able to alert competent authorities to actual or potential infringements of this regulation and protect them from retaliation, etc.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/www.chinalawupdate.cn\/2022\/03\/articles\/data-security\/provisions-on-administration-of-algorithmic-recommendation-took-effect-on-march-1\/#page=1\">In China, the provisions&nbsp; on the administration of algorithmic recommendations in the Internet Information Service became effective as of March<\/a>, Chinalawupdate blog reports. It refers to the application of any algorithmic technology, including without limitation, generation and synthesis, individualized push, sorting and selection, searching and filtering, and scheduling and decision-making, to provide information to users. Among many provisions, it requires:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>algorithmic system and mechanism review, science and technology ethics review,<\/li>\n\n\n\n<li>user registration, information release review, data security protection,<\/li>\n\n\n\n<li>anti-telecom network fraud, security evaluation, monitoring, and incident emergency plan,<\/li>\n\n\n\n<li>informing users about its provision of algorithmic recommendation service, and notifying the public, in an appropriate manner, of the basic principles, the purpose and intention, and the main operation mechanism,&nbsp;<\/li>\n\n\n\n<li>providing users with options that are not customized based on the users\u2019 individual characteristics, or the option to conveniently close the algorithmic recommendation service, etc.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Official guidance: workplace monitoring<\/h4>\n\n\n\n<p>The Norwegian data protection authority <a href=\"https:\/\/www.datatilsynet.no\/personvern-pa-ulike-omrader\/personvern-pa-arbeidsplassen\/innsyn-epost-filer\/\">Datatilsynet has issued workplace monitoring guidance<\/a>, (in Norwegian). These activities must take into account important data protection criteria such as providing information about the treatment to jobseekers and employees, facilitating data subject rights, deleting the information when no longer necessary, and having satisfactory information security and internal control of their data. One of the examples, automatic forwarding of e-mails is considered continuous monitoring of the employee&#8217;s use of electronic equipment and is not allowed. Monitoring of an employee&#8217;s use of electronic equipment is prohibited, and can only exceptionally take place if the purpose is to administer the company&#8217;s computer network or detect or solve security breaches in the network. The guide also contains provisions for background checks during the recruitment process, access to e-mail and other electronically stored materials, and camera surveillance in the workplace.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Data breaches and enforcement actions: online retailer, third party provider, school\u2019s trade union, insurance company<\/h4>\n\n\n\n<p>An American online retailer of stock and user-customized on-demand products CafePress to pay half a million dollars for FTC violations, DLA Piper reports. The online platform failed to secure consumers\u2019 sensitive personal data collected through its website and covered up a major breach. This included:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Storing personal information in clear, readable text.<\/li>\n\n\n\n<li>Maintaining lax password policies that allowed, for example, users to select the same word, including common dictionary words, as both the password and user ID.<\/li>\n\n\n\n<li>Failing to log sufficient information to adequately assess cybersecurity events.<\/li>\n\n\n\n<li>Failing to comply with existing written security policies.<\/li>\n\n\n\n<li>Failing to implement patch policies and procedures.<\/li>\n\n\n\n<li>Storing personal information indefinitely without a business need to do so, etc.<\/li>\n<\/ul>\n\n\n\n<p>In 2019, a major data breach exposed millions of emails and passwords, addresses, security questions, and answers as well as a smaller number of social security numbers, partial payment card numbers, and expiration dates of the customer accounts. This information was later discovered for sale on the dark web. The company patched the vulnerability but allegedly failed to properly investigate the breach and notify the affected customers. Read <a href=\"https:\/\/www.workplaceprivacyreport.com\/2022\/03\/articles\/consumer-privacy\/ftc-settles-privacy-and-security-allegations-with-online-merchant-for-500k-and-agreement-to-extensive-compliance-program\/#page=1\">more analysis<\/a> of the case by the Workplace Privacy Report article.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/okta-25-customers-impacted-lapsus\/\">The US authentication firm Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group\u2019s attack via a third-party provider<\/a>, Infosecurity Magazine reports. Ransom group Lapsus shared screenshots, which purportedly showed \u201csuperuser\u201d access to an internal Okta desktop in January. The attackers did have access to a third-party support engineer\u2019s laptop for a five-day window. <a href=\"https:\/\/www.bbc.com\/news\/technology-60849687\">Okta initially said the matter with the sub-contractor was investigated and contained<\/a>, BBC reports. Similarly, none of Okta&#8217;s clients such as Cloudflare, FedEx, Thanet has reported any issues.<\/p>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:36% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" width=\"1024\" height=\"732\" src=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/classroom-g0894334d8_1920-1024x732.jpg\" alt=\"\" class=\"wp-image-5613 size-full\" srcset=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/classroom-g0894334d8_1920-1024x732.jpg 1024w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/classroom-g0894334d8_1920-300x214.jpg 300w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/classroom-g0894334d8_1920-768x549.jpg 768w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/classroom-g0894334d8_1920-1536x1098.jpg 1536w, https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/classroom-g0894334d8_1920.jpg 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>Cyprus\u2019s data protection commissioner fined <a href=\"https:\/\/www.dataguidance.com\/news\/cyprus-commissioner-fines-english-school-4000-failure\">English school 4,000 euros for failure to implement sufficient technical and organisational security measures to prevent a data breach<\/a>, Data Guidance reports. The investigation related to the unauthorized access and use of the email addresses of the students&#8217; parents and guardians, by the school&#8217;s staff union ESSA. In particular, a school professor who was also the president of the ESSA, sent an email to all parents\/guardians and to the staff, for purposes other than those for which said email addresses were originally collected, and without the parents\/guardians being informed of such use. The regulator ruled that irrespective of the responsibility of the school professor and the ESSA, the English school, as a data controller, did not apply sufficient security measures following Art. 32 of the GDPR. <a href=\"https:\/\/www.dataguidance.com\/news\/cyprus-commissioner-fines-essa-5000-data-breach\">ESSA, as a separate joint controller, was also fined 5,000 euros.<\/a>\u00a0<\/p>\n<\/div><\/div>\n\n\n\n<p>The Icelandic data protection authority ruled in a case about an insurance company&#8217;s processing of personal data following a claim for compensation. There were complaints about the insurance company&#8217;s disclosure of the plaintiff&#8217;s personal data to an expert who prepared a report on the speed and impact of a traffic incident that the plaintiff had encountered. There were also complaints about the insurance company&#8217;s use of the report in question when assessing the claim for compensation against the company. The plaintiff contested that the insurance company was not authorized to administer the further use of the report data and that it did not take care to inform the individuals or obtain their consent. Although the data protection authority concluded that the above processing activities were in accordance with the law, <a href=\"https:\/\/www.dataguidance.com\/news\/iceland-pers%C3%B3nuvernd-finds-sj%C3%B3v%C3%A1-almennar-tryggingar-0\">based in particular on a contract (Art. 28 of the GDPR<\/a>). Since the complainant was not informed or educated about the transfer of the data to the specialist and its processing, the regulator found that the company did not comply with the information and transparency obligations (Art.13 of the GDPR).&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Data security: pseudonymisation in the health sector<\/h4>\n\n\n\n<p>The European Union Agency for Cybersecurity<a href=\"https:\/\/www.enisa.europa.eu\/publications\/deploying-pseudonymisation-techniques\"> has published guidance on deploying pseudonymisation techniques in the health sector<\/a>. From a cybersecurity point of view, the confidentiality, availability, and integrity of medical data and relevant infrastructure are considered essential in order to be able to provide timely, appropriate, and uninterrupted medical care. This is also highlighted by the NIS Directive which categorizes the health sector as an operator of essential service and calls for minimum security requirements to ensure a level of security appropriate to the level of risks presented. Furthermore, the GDPR distinguishes, in Art. 9, data concerning health as a special category of data, and sets out additional requirements and stricter obligations for processing and protecting such data. Lastly, the Medical Devices Regulation imposes requirements regarding the safety, quality, and security of medical devices in order to achieve a high common level for safety. Case studies in the report include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>exchanging patient\u2019s health data,<\/li>\n\n\n\n<li>Clinical Trials,<\/li>\n\n\n\n<li>patients-sources monitoring of health data.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Big Tech: data brokers, smartphone health monitoring, China\u2019s&nbsp;crackdown on Bing algorithms<\/h4>\n\n\n\n<p><a href=\"https:\/\/www.theguardian.com\/technology\/2022\/mar\/23\/data-brokers-lawsuit-security-transparency\">The legal implications of personal data usage by the data brokerage industry<\/a> has been analysed by the Guardian. A new lawsuit reportedly involves two companies in this vast network: X-Mode, a data broker, and NybSys, one of X-Mode\u2019s customers. The lawsuit claims people\u2019s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from &nbsp; X-Mode. Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data \u2013 such as a user\u2019s purchase and demographic information \u2013 to other companies, like researchers or advertisers.<\/p>\n\n\n\n<p>Google wants to use <a href=\"https:\/\/www.reuters.com\/technology\/google-tests-catching-heart-eye-issues-smartphone-sensors-2022-03-24\/\">smartphones to monitor health, saying it would test whether capturing heart sounds and eyeball images could help people identify issues <\/a>from home, Reuters reports. The company is investigating whether the smartphone&#8217;s built-in microphone can detect heartbeats and murmurs when placed over the chest allowing early detection of heart valve disorders, etc. Google also plans to test whether its artificial intelligence software can analyse ultrasound screenings taken by less-skilled technicians, as long as they follow a set pattern.<\/p>\n\n\n\n<p>Microsoft&#8217;s <a href=\"https:\/\/www.reuters.com\/technology\/china-requires-microsofts-bing-suspend-auto-suggest-feature-2022-03-21\/\">Bing, the only major foreign search engine available in China, said a government agency has required it to suspend its auto-suggest function in the country<\/a> for a week, Reuters reports. It is a second case for Bing since December, and arrives amid an ongoing crackdown on technology platforms and algorithms from Beijing. Since August, China&#8217;s top cybersecurity authorities have published draft rules dictating how internet platforms can and cannot make use of algorithms. These came into effect this month.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TechGDPR\u2019s review of international data-related stories from press and analytical reports. Legal processes: new EU-US data transfer deal, Digital Markets Act, China\u2019s algorithmic rules The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":5610,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[94],"tags":[107,179,116,95,105,180,104],"class_list":["post-5609","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-digest","tag-algorithms","tag-data-brokers","tag-digital-markets-act","tag-eu-us-data-transfer","tag-health-tech","tag-pseudonymisation","tag-workers-rights"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png",1280,1280,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-300x300.png",300,300,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-768x768.png",640,640,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-1024x1024.png",640,640,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png",1280,1280,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png",1280,1280,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-200x200.png",200,200,true]},"post_excerpt_stackable":"<p>TechGDPR\u2019s review of international data-related stories from press and analytical reports. Legal processes: new EU-US data transfer deal, Digital Markets Act, China\u2019s algorithmic rules The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America\u2019s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png",1280,1280,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-300x300.png",300,300,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-768x768.png",640,640,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-1024x1024.png",640,640,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png",1280,1280,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png",1280,1280,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280-200x200.png",200,200,true]},"post_excerpt_stackable_v2":"<p>TechGDPR\u2019s review of international data-related stories from press and analytical reports. Legal processes: new EU-US data transfer deal, Digital Markets Act, China\u2019s algorithmic rules The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America\u2019s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info_v2":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Weekly digest March 21 - 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts - TechGDPR<\/title>\n<meta name=\"description\" content=\"TechGDPR\u2019s review of the most important privacy and data-related stories: new EU-US data transfer deal leaves privacy experts in doubt\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Weekly digest March 21 - 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"TechGDPR\u2019s review of the most important privacy and data-related stories: new EU-US data transfer deal leaves privacy experts in doubt\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-28T08:51:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-31T17:10:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Olya Vasylyk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Vasylyk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/\"},\"author\":{\"name\":\"Olya Vasylyk\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\"},\"headline\":\"Weekly digest March 21 &#8211; 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts\",\"datePublished\":\"2022-03-28T08:51:48+00:00\",\"dateModified\":\"2025-10-31T17:10:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/\"},\"wordCount\":1943,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/location-g82c423ca1_1280.png\",\"keywords\":[\"algorithms\",\"data brokers\",\"Digital Markets Act\",\"EU-US data transfer\",\"health tech\",\"pseudonymisation\",\"workers rights\"],\"articleSection\":[\"Data Protection Digest\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/\",\"name\":\"Weekly digest March 21 - 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/location-g82c423ca1_1280.png\",\"datePublished\":\"2022-03-28T08:51:48+00:00\",\"dateModified\":\"2025-10-31T17:10:37+00:00\",\"description\":\"TechGDPR\u2019s review of the most important privacy and data-related stories: new EU-US data transfer deal leaves privacy experts in doubt\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/location-g82c423ca1_1280.png\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/location-g82c423ca1_1280.png\",\"width\":1280,\"height\":1280},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Weekly digest March 21 &#8211; 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\",\"name\":\"Olya Vasylyk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"caption\":\"Olya Vasylyk\"},\"description\":\"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/olyav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Weekly digest March 21 - 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts - TechGDPR","description":"TechGDPR\u2019s review of the most important privacy and data-related stories: new EU-US data transfer deal leaves privacy experts in doubt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/","og_locale":"en_US","og_type":"article","og_title":"Weekly digest March 21 - 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts - TechGDPR","og_description":"TechGDPR\u2019s review of the most important privacy and data-related stories: new EU-US data transfer deal leaves privacy experts in doubt","og_url":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/","og_site_name":"TechGDPR","article_published_time":"2022-03-28T08:51:48+00:00","article_modified_time":"2025-10-31T17:10:37+00:00","og_image":[{"width":1280,"height":1280,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png","type":"image\/png"}],"author":"Olya Vasylyk","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Olya Vasylyk","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/"},"author":{"name":"Olya Vasylyk","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8"},"headline":"Weekly digest March 21 &#8211; 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts","datePublished":"2022-03-28T08:51:48+00:00","dateModified":"2025-10-31T17:10:37+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/"},"wordCount":1943,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png","keywords":["algorithms","data brokers","Digital Markets Act","EU-US data transfer","health tech","pseudonymisation","workers rights"],"articleSection":["Data Protection Digest"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/","url":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/","name":"Weekly digest March 21 - 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png","datePublished":"2022-03-28T08:51:48+00:00","dateModified":"2025-10-31T17:10:37+00:00","description":"TechGDPR\u2019s review of the most important privacy and data-related stories: new EU-US data transfer deal leaves privacy experts in doubt","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2022\/03\/location-g82c423ca1_1280.png","width":1280,"height":1280},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/weekly-digest-28032022-eu-us-new-data-transfer-deal-leaves-privacy-experts-in-doubt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Weekly digest March 21 &#8211; 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8","name":"Olya Vasylyk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","caption":"Olya Vasylyk"},"description":"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/5609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=5609"}],"version-history":[{"count":12,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/5609\/revisions"}],"predecessor-version":[{"id":11276,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/5609\/revisions\/11276"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/5610"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=5609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=5609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=5609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}