Data transfer between the European Union and the United States has entered a new era. With the "EU-U.S. Data Privacy Framework", a new data protection agreement has been launched, which forms the basis for a European Commission decision taken in June 2023. This declares the level of data protection for certified companies in the U.S. to be adequate. This article looks at the developments in the matter of "data transfers to the U.S." up to the issuance of the new adequacy decision and explains what is meant by such an adequacy decision.
Table of contents
The history of data protection between the EU and the U.S. is characterized by constant changes and adjustments. Before the EU-U.S. Data Privacy Framework, there were already two other agreements: Safe Harbor and Privacy Shield. However, both were annulled by the European Court of Justice (ECJ) because they did not provide sufficient protection for the data of European citizens.
In March 2022, the European Commission and the U.S. government agreed on the "EU-U.S. Data Privacy Framework". The Commission published the following basic principles of the data protection agreement in its factsheet on March 25, 2022: Data can flow freely and securely between the EU and participating U.S. companies. A new set of rules and binding safeguards will limit access by U.S. intelligence agencies. Procedures will be established to ensure effective monitoring of the new standards. A new two-tier redress system will ensure that complaints from EU citizens about access to data by U.S. intelligence agencies are investigated and addressed. Strict obligations apply to U.S. companies processing data transferred from the EU.
The Emergence of the EU-U.S. Data Privacy Framework
After the announcement of the agreement in principle, the ball was on the other side of the Atlantic. It was the U.S.'s turn to legally secure the basic principles of the agreement and to address those aspects of data protection in the U.S. that caused the European Court of Justice (ECJ) to annul the Privacy Shield in 2020. On 07.10.2022, US President Joe Biden issued a decree to this effect. Through this Executive Order On Enhancing Safeguards for United States Signals Intelligence Activities (E.O.). among other things, U.S. intelligence agencies are instructed to limit their data access to a proportionate level.
On December 13, based on the Executive Order, the European Commission issued a draft adequacy decision pursuant to Art. 45 GDPR submitted. This had to pass through the so-called adoption procedure. For this purpose, the draft was first submitted to the European Data Protection Committee. The Commission then had to obtain the approval of a committee consisting of representatives of the member states. Finally, the draft had to withstand scrutiny by the European Parliament. Only then could the Commission adopt the final adequacy decision.
The EU-U.S. Data Privacy Framework in Practice
On July 10, 2023, the time had come: The European Commission issued the new adequacy decision for the U.S. based on the EU-U.S. Data Privacy Framework. A few days earlier, the official website for the new data protection agreement went online. In the future, a list of U.S. companies that have been certified under the new mechanism and to which personal data may thus be transferred without further requirements will be available on this website.
For all EU companies that use U.S. services and thereby transfer personal data to the U.S., the EU-U.S. Data Privacy Framework and the corresponding adequacy decision have brought significant relief. From an economic perspective, this development is to be welcomed. But beware. The adequacy decision can only be considered as a transfer mechanism if the U.S. company to which personal data is to be transferred has a valid certification under the EU-U.S. Data Privacy Framework. If this is not the case, the conclusion of standard contractual clauses and the performance of a transfer impact assessment are still required.
Criticism of the EU-U.S. Data Privacy Framework
Criticism of the new agreement comes from the Heise editorial team, among others. In a Article it is argued that the new agreement repeats old mistakes and represents a missed opportunity. In particular, it is criticized that U.S. mass surveillance continues to be permitted and that the newly created "court" for legal protection in the U.S. does not meet the ECJ's requirements for a fair trial.
Max Schrems, who has since co-founded the civil rights organization noyb, expressed skepticism about the new agreement. He criticized the fact that despite the various agreements - "Harbors," "Umbrellas," "Shields," and "Frameworks" - there has been no substantial change in U.S. surveillance law. The current press statements, he said, are almost a word-for-word copy of those from 23 years ago. "Merely claiming something is 'new,' 'robust,' or 'effective' doesn't cut it in the Court," Schrems said. "We needed a change in U.S. surveillance law, and it doesn't exist."
The "EU-U.S. Data Privacy Framework" represents an important step in the development of the Data protection between the EU and the USA. It provides a legal basis for data transfer and thus brings a degree of legal certainty for companies. At the same time, however, there is also criticism of the new agreement. It remains to be seen whether it will stand up to the requirements of the ECJ.