On July 10, 2023, the European Commission’s adequacy decision for secure and trustworthy data traffic between the EU and the U.S. (“EU-US data protection framework”) was adopted. After years of legal uncertainty, this provides a secure basis for the transfer of personal data to the USA, at least for the time being. However, the adequacy decision is no free ticket for data transfers to the U.S..
Meaning of the adequacy decision
Since a ruling by the European Court of Justice (CJEU) in 2020 (“Schrems-II”, see our special edition of July 21, 2020), legally secure transatlantic data exchange has faced seemingly insurmountable obstacles. The reason is a disparity in the level of protection of personal data in the EU on the one hand and the U.S. on the other, as determined by the CJEU. Criticism focused on laws in force in the U.S., such as the Foreign Intelligence Surveillance Act of 1978 and the Cloud Act, which in the opinion of the Court allowed insufficiently controlled access to personal data by government authorities. The newly adopted adequacy decision seeks to address this criticism by introducing new binding safeguards to limit U.S. intelligence agencies’ access to EU data to a necessary and proportionate level and to provide EU citizens with sufficient legal remedies.
Regulatory Content of the EU-US Data Privacy Framework
The Data Privacy Framework primarily addresses U.S. organizations and companies. These can join the EU-US Data Privacy Framework by committing to comply with detailed data protection obligations.
In addition, there are binding guarantees that restrict access to data by U.S. intelligence services. In 2020, the European Court of Justice had presupposed in its ruling that data protection may only be restricted with a legal regulation that is proportionate. The new legal framework provides for two such statutory restrictions: Data processing for law enforcement purposes and for national security reasons. To avoid rampant application, EU citizens will not only be able to sue for damages in U.S. courts in the event of a breach of these statutory regulations. With the Data Protection Review Court, they also have legal recourse to another newly created supervisory authority.
In addition to effective mechanisms within companies to address complaints from data subjects, compliance with these privacy framework principles will be ensured by the Federal Trade Commission and the Department of Transportation as regulators. In addition, a dispute resolution body will be created and an arbitration procedure will be established.
Prerequisites for data transfer: certification procedure
The (self-)certification mechanism already known from Privacy Shield 1.0 returns: Only to appropriately certified U.S. companies can data be transferred in a legally secure manner on the basis of the EU-U.S. data protection framework. Successfully certified companies will be included in a list published by the U.S. Department of Commerce. Certification must be renewed annually.
It is important to know for the transferring companies that the EU-US data protection framework exclusively addresses the requirement of an adequate level of data protection in third countries pursuant to
Art. 44 et seq. GDPR. All other data protection requirements, such as a sufficient legal basis, measures to ensure data security and transparency, and a sufficient contractual basis with data processors and joint controllers, must be met separately. The EU-US data protection framework should therefore by no means be understood as a free ride. Many of the data protection issues, especially in the context of cooperation with U.S. industry giants such as Facebook, Microsoft and others, thus continue to exist.
The EU-US data protection framework once again provides a straightforward basis for transatlantic data transfers, which brings enormous practical relief and creates legal certainty for companies. There is a need for action for German companies with regard to the adaptation of their data protection notice in accordance with Article 13 of the GDPR, and all other data protection requirements must also continue to be individually reviewed and observed.
It remains to be seen how long the EU-US data protection framework will remain in place as the basis for transatlantic data transfers, because a judicial review by the European Court of Justice has already been initiated. Whether the problems attested to in Schrems II have really been remedied, as the European Commission claims, remains to be seen.