New adequacy assessment of the EU-U.S. Data Protection Framework data transfer agreement
On July 10, 2023, the European Commission adopted a decision on the adequacy of the level of protection for transfers of personal data from the EU to the US using the new data transfer agreement. This is known as the EU-U.S. Data Privacy Framework (EU-U.S. DPF). This means that personal data can now be transferred from the EU to US companies participating in the EU-U.S. DPF without having a transfer basis in GDPR Art. 46.
Following the European Court of Justice's invalidation of the EU-US Privacy Shield framework in the so-called Schrems II case back in July 2020, many organizations within the EU/EEA have been hesitant or completely refrained from entering into partnerships with suppliers that use US-owned service providers as sub-processors. They can now breathe a sigh of relief.
With the adequacy decision, personal data can be transferred from the EU/EEA to organizations in the US that are included in the Data Privacy Framework List without providing a basis for transfer in GDPR Article 46.
This means that it is no longer necessary to establish effective supplementary measures for transfers based on the adequacy decision in relation to the certified organizations. In other words, transfers to these organizations can be handled in the same way as transfers of personal data within the EU.
The new agreement addresses the criticisms raised by the European Court of Justice in the Schrems II case. This includes stipulating that US intelligence services may only access personal data to the extent that it is necessary and proportionate to protect national security. In addition, an independent second-instance complaint mechanism has been established to handle complaints from EU citizens regarding US intelligence services' access to and use of their personal data.
Companies such as Google, Amazon, and Microsoft have already been certified under the new data transfer agreement between the US and the EU, paving the way for companies and authorities within the EU to once again use programs such as Google Analytics and clouds with a parent company in the US.
The Data Privacy Framework List is a list of certified organizations. The list is updated regularly.
How can personal data be transferred to non-certified companies?
However, the adequacy decision can only be used as a basis for transfer when transferring personal data to organizations in the US that have certified themselves under the EU-US Data Privacy Framework with the US Department of Commerce.
Transfers to organizations in the US that are not certified under the EU-US DPF cannot be made on the basis of the adequacy decision. In this case, it will be necessary to establish a basis for transfer in GDPR Art. 46 and to assess the level of protection in the third country and the need for any additional safeguards.
If the organisation in the US is a data processor that uses sub-processors that are not included in the Data Privacy Framework List, the adequacy decision does not apply to these sub-processors. For such onward transfers, a new basis for transfer will have to be established and, where necessary, effective supplementary measures will have to be put in place to achieve a level of protection equivalent to that in the EU/EEA.
In practice, this means that companies within the EU must continue to enter into the European Commission's Standard Contractual Clauses (SCCs) and prepare Transfer Impact Assessments (TIAs) as a condition for transferring personal data if the recipient organization in the US has not certified itself under the EU-US DPF.
However, the safeguards introduced by the US government in connection with US intelligence services' access to and use of personal data transferred from the EU/EEA apply to all transfers of personal data to the US, regardless of the basis for transfer chosen. When assessing whether the chosen transfer basis ensures effective protection, data exporters may thus include the European Commission's analysis of US legislation and practice in their assessment.
Schrems III?
Several critics, including NOYB led by Max Schrems, have already stated that the EU-US DPF will not be sufficient to ensure the fundamental right to privacy of EU citizens, and that they intend to bring a case before the European Court of Justice to challenge the new Data Transfer Agreement between the US and the EU.
Whether the European Court of Justice will reject a data transfer agreement approved by the European Commission for the third time remains uncertain, but nevertheless, the EU-U.S. DPF constitutes a valid basis for the transfer of personal data to the United States for the time being, to the delight of many organizations across the EU/EEA and the United States.
Based on previous rulings, in which Safe Harbor and Privacy Shield were deemed invalid, the agreements were terminated with immediate effect. Therefore, even with the new data transfer agreement, one must be prepared for the possibility that a replacement solution may quickly become necessary if the data transfer agreement is deemed invalid.
It is therefore a good idea to have a procedure in place whereby standard contracts can be quickly established, as well as an exit strategy for the supplier if it becomes illegal to use the supplier due to data transfers to the US.
CLEMENS is following developments closely and will keep you updated on the latest news.
If your company transfers personal data to countries or international organizations outside the EU/EEA, and you are unsure whether this is done on a legal basis, please contact CLEMENS' personal data team.
