The EU‑U.S. Data Privacy Framework about to cross the finish line
In March 2022, the EU‑U.S. Data Privacy Framework was announced as a new data protection agreement between the USA and the EU. A lengthy coordination and implementation process followed. Since 3 July 2023, all measures of the agreement have been implemented on the US side. The European Commission therefore adopted a new adequacy decision on 10 July 2023 . The high hurdles for data transfers to the USA are now a thing of the past.
Current hurdles for data transfers to the USA
With its “Schrems II” decision of 16 July 2020, the European Court of Justice (ECJ) not only overruled the old adequacy decision for data transfers to the USA and declared the EU‑U.S. Privacy Shield insufficient, but also imposed strict requirements on data transfers to third countries based on standard contractual clauses . Since then, those who use standard contractual clauses have to check in a Transfer Impact Assessment (TIA) whether the legal situation and legal practice in the third country comply with the clauses. If this is not the case, additional measures must be taken or the transfer must be suspended.
New protective measures in the USA
The EU‑U.S. Data Privacy Framework and the “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” (E.O. 14086) of 7 October 2022 create a new basis for data transfers to the USA. Access to data by intelligence services is to be limited to what is necessary and proportionate to protect national security, as required by the ECJ in the “Schrems II” decision. In addition, it is intended to establish an independent and impartial redress mechanism for data subjects in Europe, including a new Data Protection Review Court. After the Executive Order was officially implemented in full, the EU Commission adopted the new adequacy decision.
What comes next: Is a “Schrems III” decision looming?
The EU Commission adopted the new adequacy decision on 10 July 2023. As long as this decision is in force, an adequate level of data protection is formally deemed to exist in the USA. Consequently, data transfers to the USA are not objectionable from a data protection perspective. However, it remains to be seen whether the new adequacy decision will stand up to scrutiny by the ECJ. Even if the level of data protection in the USA improves as a result of the EU‑U.S. Data Privacy Framework, a future failure of the adequacy decision before the ECJ cannot be ruled out. Data protection activists are already voicing strong criticism. For this reason, it makes sense for companies to rely on European providers or US providers with strictly European solutions if possible. Regardless of the further development of the legal situation for data transfers to the USA, it should also not be forgotten that the requirements from the “Schrems II” decision also apply to data transfers to other third countries such as China or India.