You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
On 10 July 2023, the European Commission adopted an adequacy decision for a lawful data transfer from the EU to the USA for the third time. [1] This means that personal data may again be lawfully transferred to the US. This will facilitate the use of US service providers for EU companies.
The recent adequacy decision is based on the EU-US Data Privacy Framework ("DPF") that US president Joe Biden and EU Commission president von der Leyen agreed upon back in March 2022. [1] It acknowledges the satisfactory safeguarding of personal data transferred from EU entities to US companies that are parties to the principles of this new EU-US Data Privacy Framework.
This marks the third attempt after the DPF's predecessors – the 2000 Safe Harbour and the 2016 Privacy Shield – were ruled invalid by the European Court of Justice. This decision could potentially end a years-long journey that began back in 2000 with the Commissions' "Safe Harbour" decision. [2]
According to the Commission, the recent adequacy decision addresses the main points raised by the ECJ in its Schrems II decision to guarantee appropriate protection of EU inhabitants' personal data in the US. Mainly, the adequacy decision follows an Executive Order of the President of the United States that introduced new binding safeguards to ensure that data can be accessed by US intelligence agencies only to the extent necessary and proportionate and to establish an independent and impartial redress mechanism to handle and resolve complaints from EU inhabitants concerning the collection of their data for national security purposes. [3]
The key principles of the new EU-US Data Privacy Framework include:
To qualify for a data transfer based on the adequacy decision, US companies must self-certify under the DPF and declare compliance with the DPF, including by updating their privacy policies. The DPF will be governed by the US Department of Commerce ("DoC"), which will process the certification applications. US entities that have already certified compliance with the (then applicable) Privacy Shield principles and still have an active certification may begin relying immediately on the DPF. [4] The DoC also monitors whether these companies continue to meet the certification requirements. A website dedicated to the DPF, which also provides for the possibility to self-certify, has already been launched.[5]
Following the recent adequacy decision, the transfer of personal data from the EU to the US is deemed lawful. This means that the use of service providers based in the US is, in principle, possible again. However, the European entity (controller) must ensure that certain conditions are met before the transfer. In particular, the European controller is obliged to ensure that the data processing, which also includes the transfer, fulfils the following criteria:
US-based companies will have to implement internal and external policies and processes if they want to self-certify under the DPF and rely on the adequacy decision for a lawful data transfer. Their privacy policies in particular must be amended to incorporate the new DPF principles and potential existing certifications under the old Privacy Shield must be updated or recertified and the necessary fees paid.
The European Data Protection Board (EDPB) acknowledged that the new agreement shows "significant improvements" over its predecessors. However, it noted that the GDPR still falls short in some areas of protection. The European Parliament opposed the new agreement, pointing out that it allows a certain level of mass data collection and does not provide adequate data protection safeguards for Europeans (however, not binding on the EC). At the same time, the NGO NOYB announced its intention to challenge the decision again, criticising it as "essentially a repeat of the Privacy Shield".
It therefore seems crucial to maintain an alternative for engaging US providers, as a third potential annulment of the adequacy decision by the European Commission could abruptly disrupt enterprise-wide data processing (again). As this process continues, we will keep you updated on further steps to ensure the safe and unimpeded flow of data between the EU and the US. In the meantime, please do not hesitate to contact us if you require assistance in preparing the necessary aspects for an immediate, compliant data transfer.
[1] Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
[2] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087.
[3] 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce
[4] Executive Order 14086 of 7 October 2022, on Enhancing Safeguards for United States Signals Intelligence Activities.
[5] List of active certifications under the (old) Privacy Shield, https://www.privacyshield.gov/list.
Florian
Terharen
Attorney at Law
austria vienna