Good things come in threes – adequacy decision of the European Commission establishes new legal framework for data transfers to the USA

Effective 10 July 2023, the European Commission (“EU Commission”) published an adequacy decision for the new EU-U.S. Data Privacy Framework (“Data Privacy Framework”), certifying that the USA has an adequate level of protection for personal data that is comparable to that of the European Union. The adequacy decision makes it easy to transfer personal data from the EU to the USA to those US companies that participate in the Data Privacy Framework. However, the critical voices already raised beforehand remain unchanged.

Background

The adequacy decision for the Data Privacy Framework is now the third attempt by the EU Commission and the US government to establish a data protection framework for the – in practice sometimes indispensable – transfers of personal data to the USA.

The first two attempts had failed before the European Court of Justice (“ECJ”). With the judgement of 16 July 2020 (C 311/18 - “Schrems II”), the ECJ declared the previous agreement, the so-called Privacy Shield, to be invalid (see also Update Data Protection No. 82). A few years ago, in 2015, the ECJ also invalidated the “Safe Harbor” decision of the EU Commission (C-362/14).

However, a lot has happened since the ECJ’s Schrems II decision. In March 2022, the EU Commission and the US announced that they had reached a fundamental agreement on a new legal framework for transatlantic data transfers. The following Executive Order of the US President of 7 October 2022 on this (as we reported with Update Data Protection No. 120) made it clear, that the US is (now) willing to significantly align the level of protection of personal data with the European understanding of it. The Data Privacy Framework creates once again binding safeguards to meet the requirements of the ECJ. In terms of content, it goes beyond its two predecessors.

The Data Privacy Framework now allows data transfers to certified companies

With immediate effect, personal data from the EU can be transferred to the USA again without further transfer mechanisms (such as EU standard contractual clauses) or additional measures.

However, the central prerequisite is that the data importing US company or the data importing US organization is also certified under the Data Privacy Framework. Such a mechanism already existed under its predecessor, the Privacy Shield. This is essentially a self-commitment to comply with various data protection obligations. The certification of the data importing company in the USA must be checked by the data exporters beforehand.

Data Privacy Framework addresses criticisms raised by the ECJ

The Data Privacy Framework continues to provide guarantees on the level of data protection in relation to government interventions by the US intelligence services and creates legal protection against them. The Data Privacy Framework addresses numerous points of criticism and requirements from the ECJ’s Schrems II decision on the Privacy Shield.

Essential principles of the Data Privacy Framework are now explicitly necessity and proportionality – two terms inherent in European data protection law and European law. On this basis, the access rights of the US intelligence services to the personal data of EU citizens are restricted. These should henceforth only be allowed to access personal data of EU citizens to the extent necessary and proportionate.

In order to meet another key requirement of the ECJ in the Schrems II decision, there are now also concrete remedies for EU citizens in the event of unjustified access to their data by US intelligence services. In the Schrems II decision at the time, the ECJ had complained that, among other things, effective legal protection against the access rights of the US intelligence services was lacking. To this end, a two-layer mechanism is introduced. First, the complaints are forwarded to the “Civil Liberties Protection Officer” (CLPO) of the US intelligence services, who then reviews them. Second, EU citizens can take action against the CLPO’s decision before the new Data Protection Review Court (DPRC).

In addition, there are further obligations for US companies that want to be certified under the Data Privacy Framework.

Outlook

There is a new legal framework for data transfers to the USA. Time will tell whether this will also “hold up” before the ECJ in the future. The EU Commission seems to be very optimistic. Despite the considerable efforts made by the USA in order to address the requirements of the ECJ, there continues to be considerable criticism of the agreement. In particular, the NGO “Noyb” is reportedly already ready to go. Therefore, it seems only a matter of time before the Data Privacy Framework – just like its predecessors – will be reviewed by the ECJ.

For data exporting companies based in the EU, the new Data Privacy Framework now provides a significant relief. For a data transfer to the USA, it is no longer necessary to rely on alternative transfer mechanisms, such as the EU standard contractual clauses. Accordingly, within the framework of the EU standard contractual clauses, the critical question of a transfer impact assessment and the need for “additional protective measures” no longer arises. However, there is no obligation to switch the transfer mechanism. Companies are therefore still free to use the alternative transfer mechanisms provided for in Art. 46 et seq. GDPR.

It should also be noted that the Data Privacy Framework only covers data transfers to the USA. International companies that also transfer data to other third countries without a corresponding adequacy decision must therefore continue to rely on alternative transfer mechanisms for such data transfers. Especially in global group structures, where corresponding group-wide Group Data Transfer Agreements already exist on the basis of EU standard contractual clauses or binding corporate rules, no changes are to be expected for the time being.