In a world that is increasingly networked, the protection of personal data plays a crucial role. Every day, vast amounts of data are generated, exchanged and analyzed. This data may include sensitive information, such as personal identifiers, financial data, or health information. In this context, the European Union has taken on a pioneering role with the General Data Protection Regulation (GDPR) by setting high standards for data protection and data security.
The GDPR, which came into force in May 2018, sets strict rules for the processing of personal data of EU citizens, regardless of where the data processor is located. This means that companies and service providers from third countries, including the USA, that process data of EU citizens must also comply with the requirements of the GDPR.
For many companies outside the EU, especially in the U.S., this presented a significant challenge. Adapting to the GDPR often required extensive changes in data protection practices and policies. In addition, companies needed to ensure they had the necessary mechanisms in place to obtain user consent, store data securely, and report data breaches.
In this complex environment, the need for cooperation between the EU and third countries, especially the US, is obvious. Such cooperation can help eliminate legal uncertainties and facilitate the flow of data while ensuring a high level of data protection.
Before we get into the significance of the new step, it is important to understand the context. Until 2020, European companies could rely on the EU-US Privacy Shield agreement to lawfully transfer data to the US. The Privacy Shield was a mechanism that allowed companies to transfer personal data from the EU to the U.S. on the condition that U.S. companies complied with certain data protection standards.
However, in July 2020, the European Court of Justice (ECJ) declared the Privacy Shield invalid. The decision, known as Schrems II, found that the Privacy Shield did not provide sufficient protection for European citizens’ data, particularly with regard to U.S. government access to that data.
The elimination of the Privacy Shield left a legal void and created significant uncertainty for European companies that relied on U.S. service providers. Without a recognized mechanism for transferring data, companies have had to find alternative solutions, such as standard contractual clauses, which are often complex and difficult to implement.
On July 3, 2023, U.S. Commerce Secretary Gina Raimondo issued a statement announcing that the U.S. government had taken a significant step toward reaching an adequacy decision with the European Union in the area of data protection. This move could have far-reaching implications for companies using cloud services and software-as-a-service (SaaS) from the US. The full statement can be found on the official website of the U.S. Department of Commerce(source).
An adequacy decision would restore legal certainty for European companies seeking to use U.S. service providers. It would clarify that the U.S. provides an adequate level of data protection, eliminating the need for complex contractual arrangements.
Currently, companies that transfer data to the U.S. often have to implement elaborate contracts and security measures. If it can be reliably implemented at all (and some assume that it can). An adequacy decision would greatly simplify this process by providing a clear legal basis for data transfer.
U.S. vendors are often leaders in areas such as cloud computing, artificial intelligence and software-as-a-service (SaaS). An adequacy decision would make it easier for European companies to benefit from these innovative services without violating the GDPR.
An adequacy decision would also strengthen economic relations between the EU and the United States. It would send a signal that both sides are willing to work together and set standards that respect citizens’ privacy.
Many European companies use US-based SaaS providers and cloud services. Until now, the use of these services has often been problematic due to the different data protection standards. An adequacy decision would allow companies to use U.S. services with greater security and less red tape. This could also strengthen the competitiveness of US service providers on the European market.
The U.S. government’s announcement is a step in the right direction to address the challenges created by the elimination of the Privacy Shield. It is critical that both the EU and the U.S. continue to work together constructively to create a stable and sustainable framework for data protection that meets the needs of businesses and protects the privacy of citizens. In an era where data is considered the new oil, it is imperative that data flows efficiently and securely across borders. An adequacy decision would not only strengthen economic relations, but also promote citizens’ confidence in the digital economy.
It remains to be seen how the negotiations will develop and what concrete measures will be taken to ensure data protection standards. European companies should follow developments closely and prepare to adapt their data protection practices accordingly.
In a globalized world, it is essential that international data protection standards go hand in hand. The U.S. government’s move could be a milestone on the road to a harmonized data protection environment that promotes both privacy and economic cooperation.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
As you know, I've written a lot here about artificial intelligence (AI), software as a service (SaaS), and contract clauses...
Read moreDetails
Management in the influencer sector is no longer uncharted territory. Numerous success stories have already been written with platforms such...
Read moreDetails
Earlier this year, I already warned about Brexit and data protection in this article. However, that was before the UK's...
Read moreDetails
This is an archive post of a blog article from before 2018, from the website www.rahaertel.com. The set date does...
Read moreDetails
The use of artificial intelligence (AI) in web design and programming opens up many new possibilities. As a web designer...
Read moreDetails
Introduction: Sample contracts are especially beneficial for small businesses and sole proprietors who cannot afford expensive legal advice. The use...
Read moreDetails
Every website operator is interested in obtaining statistics about their visitors, if only because you are a blogger who is...
Read moreDetails
A publishing contract can be the turning point in any game developer's career, contributing to the growth and success of...
Read moreDetails
Introduction Technology is rapidly evolving and opening doors to new opportunities in the legal field, a development that always fascinates...
Read moreDetailsThe Distance Learning Protection Act (FernUSG) has been experiencing a renaissance for some time now. What for decades was considered...
Read moreDetails
In this episode of the Itmedialaw podcast, lawyer and entrepreneur Marian Härtel takes you on a journey through the legal...
Read moreDetails
In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...
Read moreDetails
