Germany Update: Privacy Shield 3.0 USA – Much Ado About Nothing?!

Starting situation

In June 2020, the ECJ prohibited the transfer of data to the USA based on the self-certification of the US data importer under Privacy Shield 2.0. As a result, a large number of U.S. data importers switched to the EU standard contractual clauses.

EU adequacy decision in June 2023

Since June 2023, an export of personal data from the EEA to the USA can again be based on the self-certification of the data importer in the USA under the Privacy Shield 3.0. However, many assume that the Privacy Shield 3.0 will hardly survive the 3rd anniversary of its entry into force, as a large number of lawsuits/complaints have already been announced.

Self-certification instead of standard contractual clauses?

Against this background, the question arises as to whether, from the point of view of US data importers, it makes sense to convert all existing data import agreements from the standard contractual clauses to self-certification under Privacy Shield 3.0.

If the data importer acts as a processor of an EU data exporter, the changeover makes little sense, because in this case a data processing agreement is still required. The latter is included in the standard contractual clauses “Controller-Processor-Transfer” anyway.

The self-certification of processors is therefore only attractive for US processors who absolutely want to deviate from the few provisions of the standard contractual clauses “Controller-to-Processor”, which are not typically included in order processing agreements anyway.

The legal situation is different for US data importers, who act as the sole responsible body. In this case, there is no need to agree on the standard contractual clauses controller-to-controller transfer between the US data importer and the EEA data exporter, which results in a significant reduction in the documentation effort.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.