What is it about?
According to the General Data Protection Regulation (GDPR), the transfer of personal data to third countries outside the EU is only permitted if there exists an adequate level of data protection. Article 45(3) of the GDPR grants the EU Commission the power to decide by means of an implementing act that a non-EU country ensures an adequate level of privacy protection. An adequate level of protection exists in particular if the data essentially corresponds to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to the respective third country without further obstacles.
Since the Snowden revelations, the transfer of personal data to the USA has regularly been the subject of judicial review by the ECJ. The ECJ most recently declared the previous EU-U.S. Privacy Shield to be in breach of the GDPR in its judgment of July 16, 2020 (Case C-311/18, Facebook Ireland v. Schrems II), thus establishing its invalidity. In particular, the ECJ criticized that against the background of the access possibilities by the U.S. security authorities, the data protection requirements are not met and the legal protection for data subjects is insufficient. Since data exchange between the EU and the U.S. is essential in economic transactions, the EU Commission and the U.S. government immediately began talks on a new framework and launched the EU-U.S. Data Privacy Framework
New EU-U.S. Data Privacy Framework
Based on the new EU-U.S. Data Privacy Framework, personal data can now be transferred securely from the EU to U.S. companies participating in the Privacy Framework without the need for additional data protection safeguards.
This is accomplished because the EU-U.S. Data Privacy Framework introduces new binding safeguards to address concerns raised by the ECJ. The new framework introduces significant improvements over the previous mechanism in place under the Privacy Shield. It provides that access by U.S. intelligence agencies to EU data will be limited to a necessary and proportionate level. It also establishes a Data Protection Review Court, or DPRC, to which individuals in the EU will have access. If the DPRC finds that data has been collected in breach of the new safeguards, it can order the U.S. authorities to delete the data. The new government data access safeguards are intended to complement the obligations to which U.S. companies are subject when importing data from the EU.
Obligations for U.S. companies
In order for U.S. companies to benefit from the EU-U.S. Data Privacy Framework, they must certify accordingly with the U.S. Department of Commerce. In doing so, they agree to comply with a number of detailed data protection obligations. These include, for example, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection when personal data is shared with third parties. The new no additional measures rule only applies if the U.S. company to which the data is transferred is certified under the EU-U.S. Data Privacy Framework. EU-based companies must verify this in advance. A corresponding list of certified organizations will soon be published by the U. S. Department of Commerce on a new website.
Rights for EU citizens
EU citizens have several legal remedies available in case their data is incorrectly processed by U.S. companies. These include free independent dispute resolution mechanisms and a mediation service. They will be granted access to an independent and impartial redress mechanism regarding the collection and use of their data by U.S. intelligence agencies. For this the newly created Data Protection Review Court (DPRC) is responsible.
In addition, the U.S. regulatory framework provides a number of safeguards for access to data transferred under the framework by U.S. agencies. These protections relate specifically to law enforcement and national security purposes.
Easier transatlantic data flow
The safeguards put in place by the U.S. will also facilitate transatlantic data flows in general. They will also apply when data is transferred using other tools such as standard contractual clauses and binding corporate rules.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews conducted by the EU Commission together with representatives of European data protection authorities and competent U.S. authorities. The first evaluation will take place within one year of the Framework's entry into force to verify that all relevant elements have been fully implemented in the U.S. legal framework and are functioning effectively in practice.
All is’s well that ends well?
Of course, the adequacy decision and the Privacy Framework are not without controversy among data protectionists. Already in the run-up, both the EU Parliament and the European Data Protection Board - the association of European data protection supervisory authorities - had expressed doubts about the new measures. In particular, the focus is on the effectiveness of the newly announced protective measures for EU data subjects.
The "trigger" of the ECJ's Schrems ruling, Max Schrems, also announced with his organization noyb that he will challenge data transfers based on the Privacy Framework in court and thus achieve a renewed review by the ECJ. In this context, noyb assumes that the proportionality of the measures taken, as determined by the EU Commission, does not sufficiently take into account the requirements of the ECJ, even in its current form, as the changes to the intelligence laws in the USA are only insufficient.
Only the ECJ and the EU Commission can overturn the adequacy decision
However, it is a long way through the instances before the ECJ reaches a decision on the invalidity of the EU-U.S. Data Privacy Framework. In this respect, the supervisory authorities are also bound by the decision issued by the Commission. Unless the EU Commission withdraws the adequacy decision as part of the regular evaluation, it will remain in force until a temporary suspension or final decision by the ECJ and is thus a permissible legal basis for the transfer of personal data to certified U.S. companies.