Cast off for EU-US data transfer – European Commission publishes adequacy decision for new EU-US Data Privacy Framework

On 10 July 2023, the European Commission published the long-heralded adequacy decision for the transfer of personal data to the United States on the basis of the new “EU-US Data Privacy Framework”.

In its adequacy decision, the European Commission concludes that there is an adequate level of protection for personal data transferred from the EU to a company in the US that is certified under the new Data Privacy Framework. On the basis of this adequacy decision, personal data can now be transferred from the EU to certified companies in the US without further measures for third country transfers or official authorisations.

Background: ECJ’s “Schrems II” decision, new “Transatlantic Data Privacy Framework” and US Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”

On 16 July 2020, the European Court of Justice (ECJ) issued its high-profile “Schrems II” decision, in which it invalidated the European Commission’s adequacy decision on the EU-US Privacy Shield, without any provision for a transitional period, thus dealing a harsh blow to transatlantic data transfers.

On 25 March 2022, the European Commission and the US published a joint declaration on a new “Transatlantic Data Privacy Framework”, stating that the successor to the “EU-U.S. Privacy Shield”, which the ECJ had found to be inadequate, should also address the concerns expressed by the ECJ in “Schrems II”. On 7 October 2022, US President Biden signed an Executive Order “Enhancing Safeguards for United States Signals Intelligence Activities”, which is intended to implement the agreements with the European Commission on the new Transatlantic Data Privacy Framework in US law. As a result, the Commission announced on the same day that it would prepare an adequacy decision for the EU-US Data Privacy Framework and a draft of this was published on 13 December 2022.

Data transfers to the US will be facilitated

US companies will now be able to join the new EU-US Data Privacy Framework and become certified under it. Under this new certification scheme, US companies commit to a set of data privacy principles issued by the US Department of Commerce and contained in Annex 1 of the adequacy decision. First and foremost, in order to participate in the Data Privacy Framework, US companies must also be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and the US Department of Transportation (DoT). These data privacy principles apply immediately after certification for US companies that join the EU-US Data Privacy Framework, and they must recertify their compliance with the principles annually. In the future, data transfers to such certified US companies will be able to take place without further appropriate safeguards, in particular the standard data protection clauses provided by the Commission will no longer be required.

The new rules for US intelligence services, which will apply in the future under the Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” issued by US President Biden, are also intended to facilitate data transfers to US companies that have not (yet) signed up to the EU-US Data Privacy Framework. This is because the order aims to provide better protection for personal data accessed by US authorities for national security purposes in the future. This includes strengthening the protection of privacy and civil liberties by ensuring that US intelligence activities must be necessary and proportionate to the pursuit of defined national security objectives. In addition, a new redress mechanism has been established and the existing oversight of the activities of the US intelligence services has been improved.

According to the European Commission, data transfers to US companies that are not based on the European Commission’s adequacy decision but on other appropriate safeguards such as standard data protection clauses or binding corporate rules will generally be made easier as a result of the new rules for US intelligence services. Nevertheless, companies that transfer personal data to US companies should carefully review the basis on which a data transfer can take place and, if necessary, incorporate the new standard data protection clauses issued by the European Commission in 2021 into their contracts. Despite the significantly improved legal situation in the US, the use of standard data protection clauses or other appropriate safeguards will still require the conduct of a transfer impact assessment, in which it must be determined whether national law precludes the transfer. A transfer impact assessment need not be carried out only if the transfer actually takes place on the basis of the new adequacy decision, i.e. the transfer is made to a company certified under the EU-US Data Privacy Framework.

Although the new EU-US Data Privacy Framework has already been harshly criticised, the European Commission is very confident that its new adequacy decision will withstand another ECJ review. We can expect that the new adequacy decision will also soon end up before the ECJ. However, at least for the time being, companies will be able to base data transfers to the US on the Commission’s new adequacy decision.