Introduction

The European Commission adopted the new Trans-Atlantic Data Privacy Framework adequacy decision for the EU-US data protection framework on 10^th of July 2023.

The European Commission has decided that the United States is a third country with an equivalent level of protection for personal data, comparable to that of the EU, and thus
further protective measures for data transfers are not required if the respective US company joins the data protection framework, thus ensuring compliance with data protection obligations. According to Commission President Ursula von der Leyen, this would lead to more legal certainty on both sides.

What is new?

According to the Commission, access by US intelligence services to EU data remains limited to a necessary and proportionate level. What is to be understood by this is not
specified. A Civil Liberties Protection Officer (CLPO) and a Data Protection Review Court (DPRC) are envisaged as remedies or review bodies in the event of improper handling of data by US companies, to which individuals can turn. The court is to determine whether safeguards were breached in the data collection and may order the deletion of the data. Whether breaches have been found and remedial action taken is not communicated to the complainant.

US companies can sign up to the Data Privacy Framework by committing to uphold certain data protection principles, such as deleting personal data when the purpose for
collecting it no longer applies. The website of the US International Trade Administration, US Department of Commerce (www.dataprivacyframework.gov/s/data-protection-authorities), lists the companies that have signed up to the Data Privacy Framework.

At the time of publication, the website is still partly under construction and no certified
US companies have been published yet. The next few weeks will show how quickly the certification process will proceed and whether the first US companies will already be published in the certified list. 

Meaning for European Companies

For European companies, the US Adequacy Decision means that additional standard contractual clauses would no longer be necessary, provided they use US companies certified under the US Adequacy Decision as service providers. In practical terms, this means an expansion of the choice of (certified) service providers and the simplification of contract negotiations.

Criticism and outlook

The non-governmental organisation None of Your Business (“NOYB”) has already announced that it has prepared procedural options. Chairman Max Schrems, an Austrian lawyer and data protection activist who gave rise to the Schrems I and Schrems II
rulings, criticised the adequacy decision, calling it a copy of the “Privacy Shield” and “Safe Harbour” – the previous US adequacy decisions from 2015 and 2020 that were overturned by the ECJ.

He accuses the European Commission of not intending to make any substantial changes, but of acting based on short-term political thinking, thus ignoring the rulings of the European Court of Justice (ECJ) for the third time. The ECJ has also declared the US mass surveillance system (FISA 702) to be disproportionate and in breach of the EU Charter of Fundamental Rights. Although the new Executive Order 14086, which was the basic prerequisite for the adequacy decision, now requires proportionality, it is to be feared that due to a lack of a common definition, there will be divergent understandings of the term proportionality by the EU and the USA, which will lead to divergent assessments of individual measures, also in the light of ECJ case law.

In the event of a successful challenge, the ECJ could suspend the agreement throughout the proceedings. A final decision can then only be expected in 2024 or 2025.

Recommendations for European companies

For the time being, standard contractual clauses with US companies should be maintained unless they are certified. However, privacy notices can be adapted to remove the section on the United States as an unsafe third country. However, a reference to the standard contractual clause should remain until the service provider is certified. Should the adequacy decision end up before the ECJ again after the announcement of the “NOYB” organisation and then be declared insufficient, this would again result in personal data having been transferred to US service providers in an unlawful manner. Therefore, it is advisable to continue to use standard contractual clauses for data transfers until the final clarification at the ECJ. 

 Previous articles can be found here:

The EDPB and the Trans-Atlantic Data Privacy Framework (Part 1)

The EDPB and the Trans-Atlantic Data Privacy Framework (Part 2)