New Adequacy Decision for the U.S.: EU-US Data Privacy Framework

On July 10, 2023, the EU Commission issued a new adequacy decision for data transfers to the USA. The so-called EU-US Data Privacy Framework brings new legal certainty for data transfer to the USA.

Background

In principle, personal data may only be transferred to third countries (countries outside the European Union or the European Economic Area) if the level of protection guaranteed by the General Data Protection Regulation is not undercut.

The EU-US Data Privacy Framework is the third attempt by the USA and the EU to enable legally secure data transfer to the USA. Since the Schrems II ruling in July 2020, such a transfer was no longer possible on the basis of an adequacy decision. In this decision, the European Court of Justice (ECJ) declared the Privacy Shield, the successor to the Safe Harbor Agreement, invalid. Since then, data transfer has been associated with great legal uncertainty. Personal data could only be transferred on the basis of other guarantees, such as standard contractual clauses or binding corporate rules. Nevertheless, the controller always had to check whether an equivalent level of protection prevails in the third country or whether additional measures may need to be taken to achieve the appropriate level of protection.

The adequacy decision

The new adequacy decision is primarily intended to take into account the concerns expressed by the ECJ. Access by US intelligence services to EU data will be limited to a necessary and proportionate level and a kind of data protection review court will be created to which EU citizens will have access, according to the European Commission.

The EU-US Data Privacy Framework brings significant improvements over the existing mechanism under the Privacy Shield.

American companies must certify themselves according to the EU-US Data Privacy Framework. This procedure is already known from the Privacy Shield. For example, companies must commit to deleting personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuity of protection when personal data is disclosed to third parties.

New lawsuit only a matter of time

The data protection organization NOYB and its chairman Max Schrems have already announced their intention to take legal action against the EU-US Data Privacy Framework. “They say the definition of insanity is that you do the same thing over and over again and still expect a different result. Just like the Privacy Shield, the latest agreement is not based on substantive changes, but on short-term political thinking.”

It is important for companies that as long as the ECJ has not annulled the adequacy decision, it is effective. It will remain so, even if a lawsuit is filed. Nevertheless, when implementing new software, companies should consider whether it would be easy to switch to another provider or whether a European provider should be used directly in order to be able to react smoothly in the event of a new ECJ decision.

What do companies need to do?

Companies must check whether integrated US tools are certified under the EU-US Data Privacy Framework. The current status can be viewed at www.dataprivacyframework.gov/s/ from 17 July 2023. Under certain circumstances, companies may have to adapt their data protection notices, order processing contracts or their processing directory.

Result

In the coming years, data transfer to the USA will be possible in a legally secure manner. It will be a few years before the ECJ decides on the new adequacy decision.

Nevertheless, companies should not take the adequacy decision as an opportunity to only use providers from the USA in the future, but should continue to carefully check whether a transfer to the USA is actually necessary and, if necessary, look for European alternatives.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.