Schonherr
Schonherr
straight to the point. what are you looking for?
you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu

28 July 2023
blog
austria

A relief for companies: the new "EU US Data Privacy Framework" is in force!

data protection

The CJEU's annulment of the "Privacy Shield" created significant legal uncertainty around the use of US clouds and personal data transfers to the US. Fortunately, summer 2023 brings good news: this legal uncertainty has gone. On 10 July 2023, the European Commission has adopted an adequacy decision on the "EU US Data Privacy Framework" (DPF).

The DPF allows transfers of personal data to the US under essentially the same mechanisms as under its predecessor, the "Privacy Shield". Thus, if a US company gets certified under the "EU US Data Privacy Framework", it creates a data protection level that is adequate to the European data protection laws. It follows that personal data can be transferred from Europe to that company without a need for additional safeguards under Art 46 GDPR. A search registry of the US companies certified under the DPF can be found under: https://www.dataprivacyframework.gov/s/participant-search.

What does this mean for European companies?

  1. If a European company transfers personal data to a US company that is certified under the DPF, it should adapt its GDPR documentation (i.e. data processing records, TIA) accordingly.
  2. Standard Contractual Clauses that the European company might have concluded with that US company remain valid. A potential certification under the DPF of the US company will not terminate the Standard Contractual Clauses. Also, it is not harmful if the Standard Contractual Clauses and the DPF certification remain simultaneously in place.

Looking forward

It hardly comes as a surprise that the DPF came under fire almost immediately from several stakeholders. The DPF probably will be challenged in the same way as the "Safe Harbour" and the "Privacy Shield". Nevertheless, companies should not be discouraged by these announcements but rather take advantage of the newly generated legal stability. It is still recommended to keep in place Standard Contractual Clauses, since the DPF is likely to be challenged . If so, this might reinstall the former status of legal instability. In that case, Standard Contractual Clauses would be a good backup, since even if the CJEU declares the DPF unlawful it seems unlikely that the court will dismiss Standard Contractual Clauses concluded with US companies.   

The adequacy decision can be found here:

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Information from the Data Protection Authority can be found here:

https://www.dsb.gv.at/download-links/bekanntmachungen.html#Angemessenheitsbeschluss

Günther
Leissler

Partner

austria vienna

+43 664 80060 3276
g.leissler@schoenherr.eu
download contact
more