The adequacy decision for data transfers to the US is in…

Everything new, makes the July?

There are probably many who have already heard the news of the day. That’s right, it’s about data protection! The European Commission has finally adopted the new adequacy decision for the EU-US data protection framework. What does it mean? It is a big step towards secure and trustworthy data traffic between the EU and the US.

This decision establishes that the United States will ensure an adequate level of protection for personal data transferred from the EU to U.S. companies within the new framework. This means that personal data can be transferred securely from the EU to U.S. companies participating in the framework without the need to introduce additional data protection safeguards.

But there is more! The new EU-US data protection framework brings significant improvements over the previous mechanism. New mandatory safeguards are introduced to address all concerns expressed by the European Court of Justice. For example, access by U.S. intelligence agencies to EU data will be limited to what is necessary and proportionate. It also creates a Data Protection Review Court (DPRC) that individuals in the EU can access.

Now that that’s all settled, you could offer a wager. How long will it be before Schrems III has to be dealt with at the ECJ? 😉

But seriously, this is an important step in giving citizens confidence in the security of their data, deepening economic ties between the EU and the U.S., and strengthening shared values at the same time.

What makes the Trans-Atlantic Data Privacy Framework (TADPF) new

The Trans-Atlantic Data Privacy Framework (TADPF) is not just a contractual commitment by U.S. companies to ensure adequate data privacy. It goes far beyond that. In the course of implementing the TADPF, the U.S. has indeed limited the powers of its intelligence agencies with respect to accessing data of EU citizens while strengthening their legal position. This was done via the “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,” issued by U.S. President Biden on October 7, 2022.

For EU citizens whose personal data is transferred to the U.S., this new Executive Order brings the following improvements in particular:

Proportionality: U.S. intelligence agencies must now also check with EU citizens whether access to their data is proportionate. Complaint Procedure: At the first level, EU citizens can file a complaint with the U.S. intelligence community’s Civil Liberties Protection Officer. This person has the responsibility to ensure that U.S. intelligence agencies uphold privacy and fundamental rights. Review Procedure: At the second level, individuals have the opportunity to challenge the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court.

The European Court of Justice (ECJ) will have to decide whether these measures sufficiently eliminate the risk of data misuse by U.S. intelligence agencies. Critics of the data transfers to the U.S., however, consider the pledge insufficient.

What to consider

The TADPF does not cover the entire United States. Rather, U.S. companies must go through a self-certification process in order to then invoke the adequacy decision. For companies with many EU users or customers, such as Meta, Google, Microsoft, AWS, etc., this is to be expected soon.

The certified U.S. companies are listed in a database, as was the case with the predecessor “Privacy Shield”. There you can search for the respective companies. The information on the scope of certification under the TADPF must also be taken into account. For example, only certain areas of the company can rely on the adequacy of the level of data protection.

Official information on the TADPF can be found at the web address https://www.dataprivacyframework.gov/, as well as searching for certified companies. Note, as of 07/10/2023 – No companies have been added to the database to date.

Conclusion

The TADPF represents an important step towards legal certainty in the transfer of data between the EU and the USA. It provides a structured and legally recognized mechanism for the transfer of personal data, which is especially important when using services from U.S. providers, such as Google, Meta, Microsoft, or Amazon, that process personal data.

However, it is not unlikely that it is only a temporary legal security. It depends both on the data protection policy of the next U.S. president and on whether the ECJ will consider the U.S. data protection measures taken to date to be sufficient.

For most, it means using U.S. companies will be safer for now. To guard against future uncertainties, the only option is to switch to EU providers. Since there are often no adequate alternatives here, the question of using U.S. providers will remain an “operational risk” for many companies, government agencies and other responsible parties in the future.

For more details, you can read the 123-page resolution for yourself.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.