Bajorat Media
The “EU-U.S. Data Privacy Framework” – data protection agreement between the EU and the USA
EU-U.S. Data Privacy Framework: Impact on companies and criticism of it. Everything you need to know about the new data protection agreement.
Data transfer between the European Union and the United States has entered a new era. With the “EU-U.S. Data Privacy Framework”, a new data protection agreement was created, which forms the basis for a decision taken by the European Commission in June 2023. This declares the level of data protection for certified companies in the USA to be appropriate. This article highlights the developments in the matter of “data transfer to the USA” up to the issuance of the new adequacy decision and explains what is meant by such an adequacy decision.
The backstory
The history of data protection between the EU and the USA is characterized by constant changes and adaptations. Before the “EU-U.S. Data Privacy Framework” there were already two other agreements: Safe Harbor and Privacy Shield. However, both were overturned by the European Court of Justice (ECJ) because they did not provide sufficient protection for the data of European citizens. In March 2022, the European Commission and the US government agreed on the “EU-US Data Privacy Framework”. On March 25, 2022, the Commission published the following basic principles of the data protection agreement in its fact sheet: Data can flow freely and securely between the EU and participating US companies. A new set of rules and binding protective measures are intended to restrict access by the US intelligence services. Procedures will be established to ensure effective monitoring of the new standards. A new two-tier redress system will ensure that complaints from EU citizens about access to data by US intelligence services are investigated and addressed. Strict obligations apply to US companies processing data transferred from the EU.
The emergence of the EU-U.S. Data Privacy Framework
After the announcement of the agreement in principle, the ball was on the other side of the Atlantic. It was the USA’s turn to legally secure the basic principles of the agreement and to address those aspects of data protection in the USA that led the European Court of Justice (ECJ) to repeal the Privacy Shield in 2020. On October 7th, 2022, US President Joe Biden issued a corresponding decree on this matter. Through this Executive Order On Enhancing Safeguards for United States Signals Intelligence Activities (E.O.), among other things, the US secret services are instructed to limit their data access to a proportionate level. On December 13, the European Commission, based on the Executive Order, issued a draft for an adequacy decision in accordance with Article 45 DSGVO presented. This had to go through the so-called acceptance process. For this purpose, the draft was first submitted to the European Data Protection Committee. The Commission then had to obtain the approval of a committee consisting of representatives of the member states. Finally, the draft had to withstand scrutiny by the European Parliament. Only then could the Commission adopt the final adequacy decision. 
The EU-U.S. Data Privacy Framework in practice
On July 10, 2023, the time had come: the European Commission approved the new adequacy decision for the USA based on the EU-U.S. Adopt data privacy frameworks. The official website for the new data protection agreement went online a few days earlier. In the future, a list of US companies that have been certified according to the new mechanism and to which personal data can be transmitted without any further requirements will be available on this website. For all EU companies that use US services and thereby transfer personal data to the USA, the EU-U.S. Data Privacy Framework and the corresponding adequacy decision have made it significantly easier. From an economic perspective, this development is welcome. But be careful! The adequacy decision can only be used as a transfer mechanism if the US company to which personal data is to be transferred has a valid certification under the EU-U.S. Data Privacy Framework has. If this is not the case, it is still necessary to conclude standard contractual clauses and carry out a transfer impact assessment.
Criticism of the EU-U.S. Data Privacy Framework
The criticism of the new agreement comes from the Heise editorial team, among others. In one Article It is argued that the new agreement repeats old mistakes and represents a wasted opportunity. In particular, it is criticized that US mass surveillance is still permitted and that the newly created “court” for legal protection in the USA does not meet the ECJ’s requirements for a fair trial. Max Schrems, who has now co-founded the civil rights organization noyb, expressed skepticism about the new agreement. He criticized the fact that despite the various agreements – “Harbors”, “Umbrellas”, “Shields” and “Frameworks” – there had been no substantial change in US surveillance law. The current press releases are almost a word-for-word copy of those from 23 years ago. “The mere assertion that something is ‘new’, ‘robust’ or ‘effective’ is not enough before the Court,” said Schrems. “We needed a change to US surveillance law and that doesn’t exist.”
Conclusion
The “EU-U.S. Data Privacy Framework” represents an important step in the development of the data protection between the EU and the USA. It offers a legal basis for data transfer and thus brings a certain legal certainty for companies. At the same time, however, there is also criticism of the new agreement. It remains to be seen whether it will meet the requirements of the ECJ. Sources
