Free rein for data transfers to the U.S.?

On Monday, July 10, 2023, the European Commission published the long-awaited adequacy decision for data transfers from the EU to the US. It remains an open question whether this will resolve the more than two years of uncertainty surrounding cooperation with U.S. companies.

The ECJ ruling of July 16, 2020 and its impact

The European Court of Justice (ECJ) had ruled in the so-called "Schrems II" judgment in July 2020 that the so-called EU-US Privacy Shield, which until then had served in practice as the most important mechanism for data transfers to the U.S., was ineffective (we reported in our Privacy Ticker July 2020). Since then, there has been major uncertainty as to whether and under what conditions data transfers to the U.S. were still legally possible. The ruling thus had significant implications for transatlantic data exchange. This applied above all, but not only, to the use of popular online services such as Google and Facebook. The ECJ had argued that data privacy standards in the U.S. were inadequate, in particular due to the excessive powers of the U.S. intelligence services, and that European citizens were not adequately protected against government surveillance and misuse of data. The ECJ also criticized the lack of effective legal protection for EU citizens in the U.S. with regard to their data protection rights.

Alternative safeguards for data transfers, such as the conclusion of standard contractual clauses ("SCCs") or even obtaining consent for data transfers to third countries, especially the U.S., remained highly controversial and always carried a certain risk of not being able to hold up under judicial review or of incurring a substantial fine from a data protection authority.

The EU-US Data Privacy Framework as a solution

After the EU Commission and the U.S. government announced in March 2022 that they had agreed in principle on a legal framework for transatlantic data transfers, the EU Commission has finally issued the long-awaited adequacy decision for the EU-US Data Privacy Framework ("Data Privacy Framework"). In doing so, it is responding to the ECJ's objections in the "Schrems II" ruling and once again certifies that the U.S. has an adequate level of data protection within the meaning of the GDPR, but this time under certain conditions.

Similar to the former "Privacy Shield", the Data Privacy Framework is based on a system of certification. US organizations and companies can commit to compliance with the so-called EU-US Data Privacy Framework Principles, which are based on the principles of the GDPR, as well as other principles issued by the US Department of Commerce. The U.S. Department of Commerce will also publish a list on the Internet, similar to the former "Privacy Shield", listing the organizations and companies certified under the Data Privacy Framework.

In order to certify (or recertify on an annual basis) under the Data Privacy Framework, organizations and companies must publicly commit to compliance with the above principles, make their privacy policies available, and fully implement them. As part of their certification application, they must submit various other information to the U.S. Department of Com-merce. These include their organization, a description of the purposes for which personal data is processed, the personal data covered by the certification, and the chosen method of review, the relevant independent complaint mechanism, and finally the relevant enforcement authority. Organizations and businesses can only receive and process personal data based on the Data Privacy Framework from the time they are added to the U.S. Department of Commerce's Data Privacy Framework list. To ensure legal certainty and to avoid organiza-tions or companies falsely claiming to be certified, when they first become certified, they may not publicly reference their compliance with the Principles or their certification until the U.S. Department of Commerce has determined that the relevant certification application is complete and the organization or company has been added to the list. To continue to rely on the Data Privacy Framework as a transfer mechanism, annual recertification must be conducted.

What do companies in the EU need to be aware of?

Unfortunately, the mere existence of the adequacy decision or the Data Privacy Framework does not yet mean that companies located in the EU or the EEA can now directly base their data transfers on it. This is because the respective US company to which the data is to be transferred must first be certified and published in the Data Privacy Framework list. This is likely to take some time, as the US companies must first implement the principles and comply with the requirements described above.
When the time comes, the privacy policies of the companies transferring data may have to be adapted, as they are likely to rely on mechanisms other than the adequacy decision with regard to data transfers to the U.S. so far. However, the privacy policy must always mention the existence or absence of an adequacy decision by the Commission in the case of data transfers to third countries (Art. 13 (1) (f) GDPR).

Conclusion and prospects

The EU Commission's adequacy decision for the time being ends a long period of legal uncertainty for the transfer of personal data to the US. Provided that the conditions de-scribed above are met, the decision is likely to lead to significant simplifications in the legal assessment and implementation of lawful U.S. data transfers in practice. However, the Data Privacy Framework has also immediately received harsh criticism because it allegedly deviates too little from the Privacy Shield, which has already failed before the ECJ, and therefore does not offer any real protection for the personal data of EU citizens in the US. So, it remains to be seen how long this agreement will last this time. For the time being, however, many companies based in the EU or EEA that regularly want or need to transfer data to the U.S. can breathe a sigh of relief until the next ECJ ruling on this topic.

Fabian Eckstein