New ade­quacy decis­i­on for the USA

The EU‑U.S. Data Pri­va­cy Frame­work about to cross the finish line

In March 2022, the EU‑U.S. Data Pri­va­cy Frame­work was announ­ced as a new data pro­tec­tion agree­ment bet­ween the USA and the EU. A leng­thy coor­di­na­ti­on and imple­men­ta­ti­on pro­cess fol­lo­wed. Sin­ce 3 July 2023, all mea­su­res of the agree­ment have been imple­men­ted on the US side. The Euro­pean Com­mis­si­on the­r­e­fo­re adopted a new ade­quacy decis­i­on on 10 July 2023 . The high hurd­les for data trans­fers to the USA are now a thing of the past.

Cur­rent hurd­les for data trans­fers to the USA

With its “Schrems II” decis­i­on of 16 July 2020, the Euro­pean Court of Jus­ti­ce (ECJ) not only over­ru­led the old ade­quacy decis­i­on for data trans­fers to the USA and declared the EU‑U.S. Pri­va­cy Shield insuf­fi­ci­ent, but also impo­sed strict requi­re­ments on data trans­fers to third count­ries based on stan­dard con­trac­tu­al clau­ses . Sin­ce then, tho­se who use stan­dard con­trac­tu­al clau­ses have to check in a Trans­fer Impact Assess­ment (TIA) whe­ther the legal situa­ti­on and legal prac­ti­ce in the third coun­try com­ply with the clau­ses. If this is not the case, addi­tio­nal mea­su­res must be taken or the trans­fer must be suspended.

New pro­tec­ti­ve mea­su­res in the USA

The EU‑U.S. Data Pri­va­cy Frame­work and the “Exe­cu­ti­ve Order on Enhan­cing Safe­guards for United Sta­tes Signals Intel­li­gence Acti­vi­ties” (E.O. 14086) of 7 Octo­ber 2022 crea­te a new basis for data trans­fers to the USA. Access to data by intel­li­gence ser­vices is to be limi­t­ed to what is neces­sa­ry and pro­por­tio­na­te to pro­tect natio­nal secu­ri­ty, as requi­red by the ECJ in the “Schrems II” decis­i­on. In addi­ti­on, it is inten­ded to estab­lish an inde­pen­dent and impar­ti­al redress mecha­nism for data sub­jects in Euro­pe, inclu­ding a new Data Pro­tec­tion Review Court. After the Exe­cu­ti­ve Order was offi­ci­al­ly imple­men­ted in full, the EU Com­mis­si­on adopted the new ade­quacy decision.

What comes next: Is a “Schrems III” decis­i­on looming?

The EU Com­mis­si­on adopted the new ade­quacy decis­i­on on 10 July 2023. As long as this decis­i­on is in force, an ade­qua­te level of data pro­tec­tion is for­mal­ly dee­med to exist in the USA. Con­se­quent­ly, data trans­fers to the USA are not objec­tionable from a data pro­tec­tion per­spec­ti­ve. Howe­ver, it remains to be seen whe­ther the new ade­quacy decis­i­on will stand up to scru­ti­ny by the ECJ. Even if the level of data pro­tec­tion in the USA impro­ves as a result of the EU‑U.S. Data Pri­va­cy Frame­work, a future fail­ure of the ade­quacy decis­i­on befo­re the ECJ can­not be ruled out. Data pro­tec­tion acti­vists are alre­a­dy voi­cing strong cri­ti­cism. For this reason, it makes sen­se for com­pa­nies to rely on Euro­pean pro­vi­ders or US pro­vi­ders with strict­ly Euro­pean solu­ti­ons if pos­si­ble. Regard­less of the fur­ther deve­lo­p­ment of the legal situa­ti­on for data trans­fers to the USA, it should also not be for­got­ten that the requi­re­ments from the “Schrems II” decis­i­on also app­ly to data trans­fers to other third count­ries such as Chi­na or India.


reuschlaw Onepager Data Privacy Framework

reusch­law One­pager Data Pri­va­cy Framework


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.