Will the European Commission’s new adequacy decision finally promote transatlantic data transfers between the U.S. and the EU?

Content Hide

1. What is an adequacy decision?

2. Data transfer to the US possible again soon?

2.1. Author: Marian Härtel

Key Facts

The European Commission initiated a new adequacy decision on 13.12.2022.
The decision could promote the transatlantic transfer of data between the EU and the USA.
The new framework could enable companies to transfer personal data from the EU to the USA.
Previous regulations, such as the Privacy Shield, were blocked by the Schrems II ruling.
US companies must register with the FTC to participate in the new framework.
The European Court of Justice emphasizes that effective data protection measures are required, not necessarily equivalent standards.
The final version of the resolution could still be subject to legal challenges.

On 13/12/2022, the European Commission initiated a procedure for its adoption. In doing so, it relies on the decree issued by U.S. President Biden and the regulations issued by U.S. Attorney General Garland. After the EU-US Privacy Shield was declared invalid by the Schrems II ruling, the transfer of personal data from the EU to the USA has not been clearly regulated and has become significantly more difficult. The new decision could thus represent the third chance for regulated data flows. The draft has already been submitted to the European Data Protection Committee (EDSA) and must still be confirmed by the EU member states. Can we look forward to a change that will be liberating and more secure for all sides?

What is an adequacy decision?

The Commission has the possibility to determine the existence of an adequate level of protection in a given third country after appropriate examination. The determination may also be limited to a specific area or sector in the third country, or even to specific categories of data. An adequate level of protection exists where the third country, on the basis of its domestic law and its application of that law, the existence and effective functioning of one or more independent supervisory authorities, and its international commitments, has a level of protection equivalent to that afforded by the General Data Protection Regulation.

A data transfer based on such an adequacy decision does not require any further approval by the national supervisory authority responsible for the controller or processor. The other requirements of the General Data Protection Regulation regarding the permissibility of data processing apply independently (“two-step test”).

The General Data Protection Regulation provides for the continued application of adequacy decisions already issued (Art. 46 (5) sentence 2 DS-GVO). Such exist for the following countries:

Andorra
Argentina
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
Canada (for commercial organizations only)
New Zealand
Republic of Korea (South Korea)
Switzerland
Uruguay
United Kingdom

Data transfer to the US possible again soon?

Especially for IT companies like SaaS providers, a constant problem is that a transfer of user data to the USA, according to Shrems II is very difficult. It is therefore quite a hopeful moment that after almost a year of intense negotiations, the EU Commission has published the proposal for a new adequacy decision: 134 pages full of opportunity to give an adequate level of protection to U.S. data protection law under Article 45 GDPR. If the decision comes into force in the coming months, companies and organizations will be able to link up with the so-called EU-US Data Privacy Framework and transfer personal data from the EU to the USA.

The European Court of Justice (ECJ) has ruled that such a decision does not necessarily require functionally equivalent data protection to the EU level, but that data protection must be effectively implemented. This, in turn, the U.S. could not guarantee, for example, through the Foreign Surveillance Act. It is questionable, of course, whether President Joe Biden’s Executive Order 14086, can change that. U.S. services are to ensure in the future that their data collections are “necessary and proportionate” and that they are better controlled in their data collections.

Otherwise, the new Privacy Shield is expected to function similarly to the old one. Again, no automatism provided. U.S. companies that want to slip under the EU-U.S. Data Privacy Framework must register with the trade regulator FTC and accept the associated obligations.

Of course, it remains to be seen how a final version of the decision will read…and in corporate planning, it should then also be noted that there will certainly be lawsuits against a new adequacy decision as well.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Data protection Law General Data Protection Regulation Lawsuit Personal data Privacy Regulation Saas Sicherheit