EU Commission adequacy decision on the USA - transfer of personal data to many US companies finally possible again with legal certainty

What is the significance and background of this?

In addition to the processing of personal data within the EU and the non-member states Norway, Liechtenstein and Iceland (second countries), the General Data Protection Regulation also provides for a regulation for the transfer of data to third countries.

According to Article 45(3) GDPR, the Commission can make a binding determination by means of an adequacy decision that a third country offers an "adequate level of protection", i.e. that the protection of personal data is equivalent in substance to the protection offered in the EU. If such a decision has been made, personal data may be transferred to a company in a third country on the basis of the GDPR under the same conditions as to a company based in the EU. There is therefore no longer any need for additional protective measures, the design of which has so far been difficult and fraught with legal uncertainty.

Most recently, in 2016, the European Commission presented such an adequacy decision with regard to the USA in the form of the Privacy Shield, which was declared invalid by the European Court of Justice in 2020 following an action by Austrian data activist Maximilian Schrems - as was the previous agreement known as Safe Harbor in 2015.

The European Commission then worked with the US government to develop a new agreement called the "EU-US Data Privacy Framework", which is intended to address the shortcomings that the ECJ had criticized in its ruling. The current adequacy decision of the EU Commission refers to this agreement.

What is new? Who is allowed to store and process personal data in the USA?

It is important to note that the EU Commission's adequacy decision does not refer to the USA as such, but to the EU-US Data Privacy Framework and therefore only to those companies that have joined this framework. To this end, US companies must undertake to comply with detailed data protection obligations and are then entered in a register that can be viewed at https://www.dataprivacyframework.gov/s/participant-search. This means that if a contractual partner of an EU company is entered in this register, personal data can be made accessible to them in the same way as to a European contractual partner. In particular, the problem of the inclusion of numerous US service providers in the software sector, for example when using SaaS systems, can now be made legally secure again. These include Microsoft, Google and Amazon - but not Apple, for example.

What are the consequences of the decision?

A legal basis for transatlantic data traffic to the USA has been re-established, making it considerably easier. When involving US service providers that have joined the EU-US Data Privacy Framework, EU companies do not have to fear any action by data protection supervisory authorities or warnings. Previous measures, such as standard data protection clauses that required the preparation of a complex transfer impact assessment, no longer apply. As recently as March 2023, the Cologne Regional Court ruled against Deutsche Telekom in response to a complaint by the NRW Consumer Advice Center that the use of Google Analytics is unlawful simply because of the data transfer to the USA. It is true that the use of Google Analytics will continue to be subject to data protection regulations. However, the aspect of data transfer to the USA is currently no longer a problem.

How is data protection structured and how does this address the concerns of the ECJ?

US authorities can still access personal data stored in the USA for the purposes of criminal prosecution and national security. However, this access will be limited to what is "necessary and proportionate".

Regular checks by the European Commission, representatives of the European data protection authorities and the relevant US authorities are intended to ensure that all requirements of the new data protection framework are fully met and are actually effective in practice.

The current lack of independent judicial control of data access is being addressed by the creation of a new court in the USA called the Data Protection Review Court. This will enable citizens of the EU to obtain a free data protection review. If it finds that data collection has breached the new guarantees, it can order binding remedies, in particular the deletion of the data.

Nonetheless, Mr. Schrems has already announced that he intends to file another complaint with the ECJ. The new agreement is "largely a copy of old principles" and does not provide sufficient protection because the USA and the EU have a different understanding of what is "proportionate".

On the one hand, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) also states: "For those affected and data exporters, there is now legal certainty for the time being." On the other hand, he also expresses concerns: "Whether this agreement will solve the problems described or whether the dispute will continue all the way to a 'Schrems III' decision is currently unclear and therefore remains to be seen."

Conclusion

There is currently sufficient legal certainty for EU companies when transferring data to companies in the USA that have joined the EU-US Data Privacy Framework. It remains to be seen whether any legal action will be brought against this. In any case, it would take several years for legal proceedings to be concluded, meaning that data transfer to the USA would once again be legally secure, at least for some time.

The previous solutions to justify a data transfer to the USA should be adapted to the new EU-US Data Privacy Framework as a reliable basis. We would be happy to advise you on this.