YOUR
Search

    11.07.2023

    Free rein for data transfers to the U.S.?


    The ECJ ruling of July 16, 2020 and its impact

     

    The European Court of Justice (ECJ) had ruled in the so-called "Schrems II" judgment in July 2020 that the so-called EU-US Privacy Shield, which until then had served in practice as the most important mechanism for data transfers to the U.S., was ineffective (we reported in our Privacy Ticker July 2020). Since then, there has been major uncertainty as to whether and under what conditions data transfers to the U.S. were still legally possible. The ruling thus had significant implications for transatlantic data exchange. This applied above all, but not only, to the use of popular online services such as Google and Facebook. The ECJ had argued that data privacy standards in the U.S. were inadequate, in particular due to the excessive powers of the U.S. intelligence services, and that European citizens were not adequately protected against government surveillance and misuse of data. The ECJ also criticized the lack of effective legal protection for EU citizens in the U.S. with regard to their data protection rights.

     

    Alternative safeguards for data transfers, such as the conclusion of standard contractual clauses ("SCCs") or even obtaining consent for data transfers to third countries, especially the U.S., remained highly controversial and always carried a certain risk of not being able to hold up under judicial review or of incurring a substantial fine from a data protection authority.

     

    The EU-US Data Privacy Framework as a solution

     

    After the EU Commission and the U.S. government announced in March 2022 that they had agreed in principle on a legal framework for transatlantic data transfers, the EU Commission has finally issued the long-awaited adequacy decision for the EU-US Data Privacy Framework ("Data Privacy Framework"). In doing so, it is responding to the ECJ's objections in the "Schrems II" ruling and once again certifies that the U.S. has an adequate level of data protection within the meaning of the GDPR, but this time under certain conditions.

     

    Similar to the former "Privacy Shield", the Data Privacy Framework is based on a system of certification. US organizations and companies can commit to compliance with the so-called EU-US Data Privacy Framework Principles, which are based on the principles of the GDPR, as well as other principles issued by the US Department of Commerce. The U.S. Department of Commerce will also publish a list on the Internet, similar to the former "Privacy Shield", listing the organizations and companies certified under the Data Privacy Framework.

     

    In order to certify (or recertify on an annual basis) under the Data Privacy Framework, organizations and companies must publicly commit to compliance with the above principles, make their privacy policies available, and fully implement them. As part of their certification application, they must submit various other information to the U.S. Department of Com-merce. These include their organization, a description of the purposes for which personal data is processed, the personal data covered by the certification, and the chosen method of review, the relevant independent complaint mechanism, and finally the relevant enforcement authority. Organizations and businesses can only receive and process personal data based on the Data Privacy Framework from the time they are added to the U.S. Department of Commerce's Data Privacy Framework list. To ensure legal certainty and to avoid organiza-tions or companies falsely claiming to be certified, when they first become certified, they may not publicly reference their compliance with the Principles or their certification until the U.S. Department of Commerce has determined that the relevant certification application is complete and the organization or company has been added to the list. To continue to rely on the Data Privacy Framework as a transfer mechanism, annual recertification must be conducted.

     

    What do companies in the EU need to be aware of?

     

    Unfortunately, the mere existence of the adequacy decision or the Data Privacy Framework does not yet mean that companies located in the EU or the EEA can now directly base their data transfers on it. This is because the respective US company to which the data is to be transferred must first be certified and published in the Data Privacy Framework list. This is likely to take some time, as the US companies must first implement the principles and comply with the requirements described above.

    When the time comes, the privacy policies of the companies transferring data may have to be adapted, as they are likely to rely on mechanisms other than the adequacy decision with regard to data transfers to the U.S. so far. However, the privacy policy must always mention the existence or absence of an adequacy decision by the Commission in the case of data transfers to third countries (Art. 13 (1) (f) GDPR).

     

    Conclusion and prospects

     

    The EU Commission's adequacy decision for the time being ends a long period of legal uncertainty for the transfer of personal data to the US. Provided that the conditions de-scribed above are met, the decision is likely to lead to significant simplifications in the legal assessment and implementation of lawful U.S. data transfers in practice. However, the Data Privacy Framework has also immediately received harsh criticism because it allegedly deviates too little from the Privacy Shield, which has already failed before the ECJ, and therefore does not offer any real protection for the personal data of EU citizens in the US. So, it remains to be seen how long this agreement will last this time. For the time being, however, many companies based in the EU or EEA that regularly want or need to transfer data to the U.S. can breathe a sigh of relief until the next ECJ ruling on this topic.

     

    Fabian Eckstein

     

    E-Commerce Action Plan: Germany’s Strategy…
    On 6 September, the German Federal Ministry of Economics and Technology (“BMWK”)…
    Read more
    Consent Management Regulation - Goodbye co…
    According to a recent study by Bitkom, 76% of internet users feel annoyed by coo…
    Read more
    ADVANT Beiten Advises Aesculap on Sale of TETEC AG to the Canadian Octane Group
    Dusseldorf, 26 June 2024 – The international law firm ADVANT Beiten has provided interdisciplinary advice to Aesculap AG, a subsidiary of the B. Braun group seated in Melsungen, Germany, on the sale of its…
    Read more
    Silent whistleblowers? Effects of the Whistleblower Protection Act on confidentiality agreements
    In addition to the much-publicised obligations, in particular the establishment of reporting channels, the new Whistleblower Protection Act (HinSchG) primarily contains rights for whistleblowers. They now …
    Read more
    Update AI Act - the ten most important questions for users of AI systems
    After the political agreement on the AI Act was effectively announced in the media in December 2023, the now provisionally final version was adopted on 13 March 2024. The AI Act was approved by the Europea…
    Read more
    Artificial intelligence: what is more important than the AI Act?
    The EU recently passed the EU Artificial Intelligence Act (AI Act) with much fanfare. The Act is a milestone (see our blog post for more details). It is really relevant for providers and deployers of AI…
    Read more
    The Cyber Resilience Act: What You Should Know Now
    Almost unnoticed in the shadow of the AI Regulation, the so-called Cyber Resilience Act ("CRA") was passed by the European Parliament on March 12, 2024. This comprehensive law introduces extensive security…
    Read more
    Cloud, SaaS and edge business models under fire
    The EU Data Act came into force on January 11, 2024. Up to now, connected products have been the main focus of public interest. However, providers of cloud, SaaS, edge and similar services are also affe…
    Read more
    The AI Act - The Agreement and What It Means
    As Ursula von der Leyen, President of the European Commission, put it: This is a historic moment. On 8 December 2023, after a three-day-marathon of negotiating, the European regulation efforts were awarded…
    Read more