Since the ECJ overturned the legal basis for data transfers from the EU to the USA with its "Schrems ll" decision in July 2020, there has been uncertainty regarding the transfer of personal data to the USA. For small and medium-sized companies in particular, the effort involved in individual case reviews regarding the permissibility of their data transfers to the USA, for example when using cloud service providers and other IT solutions, is almost unmanageable. The standard data protection clauses published in June 2021 have only provided limited relief in this regard - not least considering the divergent views of the national data protection authorities within the EU.
The joint press conference on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen had raised hopes for a new agreement between the U.S. and the European Union, based on which data transfer would be facilitated. The U.S. and EU agreed on a Transatlantic Data Protection Framework. This presupposes that the USA will adapt its legal situation in such a way that, from the EU's point of view, there is an appropriate level of data protection.
The Executive Order recently signed by President Joe Biden on 07 October 2022 represents a significant step in this regard.
The Executive Order introduces new binding safeguards, which are intended to address all the objections raised by the European Court of Justice in its "Schrems II" decision. In particular, access by U.S. security authorities to personal data of EU citizens is to be restricted and a court to review data access, so-called "data protection review court," is to be established.
What are the next steps?
With the signing of the Executive Order, the European Commission had published a "Questions & Answers" document on the same day. In this document, the Commission announces that it will initiate the procedure for adopting an adequacy decision.
During the EU review process, European data protection authorities will have the opportunity to submit comments on the new adequacy decision to, but these comments will not be binding on the European Commission.
Once successfully completed, companies certified by the U.S. Department of Commerce under the new Privacy Rule will be allowed to transfer personal data between the EU and the United States.
The decision of the European Commission remains to be seen. For this reason, the current uncertain legal situation will not change for now. F or the transfer of personal data to the USA, the following measures are still required:
- Completion of the relevant module of the standard data protection clauses.
- Conducting a "Transfer Impact Assessment" (TIA).
- If applicable, the data transfer makes further necessary measures for the protection of personal data necessary
For more information on the European Commission's standard data protection clauses, you can read our Post from 07 June 2021 (see link below).
If you are still transferring personal data to the U.S. based on the outdated standard data protection clauses, please note that you have until December 27, 2022 at the latest to replace them with the new standard data protection clauses.