The transfer of personal data to the United States is complex and prone to risks. A new legal framework is therefore still crucial. After the European Court of Justice (ECJ) overturned previous bases for data transfer (“Safe Harbour” and “Privacy Shield”), the EU Commission is now making a new attempt to create an EU-US privacy framework in order to ensure an equivalent level of data protection. In October 2022, US President Joe Biden signed the first document creating the legal framework, also known as the Trans-Atlantic Data Privacy Framework (we reported).
On December 13, 2022, the EU Commission has now presented a draft adequacy decision. Such draft has currently been submitted to the European Data Protection Board (EDPB) for its opinion. Subsequently, the Commission will seek the approval of a committee representing EU member states. In addition, the European Parliament has the power to examine the adequacy decision.
Basis for facilitated data transfer to the US
Once this procedure has been completed, the European Commission can issue a final adequacy decision. If such adequacy decision is adopted, it would form the basis for a significantly simplified data transfer to the US. In particular, no further agreements for the data transfer such as standard contractual clauses or Binding Corporate Rules (BCR) would be required any longer.
US legal framework addresses ECJ criticisms
The new EU-US Data Privacy Framework aims to achieve greater data security and is intended to address the ECJ’s main criticisms of the previous regulation, the Privacy Shield. In particular, data owners have many rights under the new EU-US framework, including the right to protect their data from access by US intelligence. In addition, data subjects must have access to independent and impartial methods if their data is to be used by US intelligence agencies. US companies can join the EU-US Data Privacy Framework by undertaking to comply with these privacy commitments.
Continued use of standard contractual clauses and BCRs until a decision is reached
Without a corresponding implementation into practice, the EU-US Data Privacy Framework will not be upheld by the ECJ. The German data protection authorities might also consider the transfer unlawful despite the adequacy decision. Insofar, the further outcome remains to be seen. A decision is expected in spring 2023. Until such decision has been adopted, companies will, for the time being, have to continue to use standard contractual clauses or Binding Corporate Rules in order to ensure data protection when transferring personal data.