The EU Commission issued its new adequacy decision for data transfers to the U.S. on July 10, 2023. The press release of the EU Commission can be found here.
The adequacy decision finally re-establishes a (for now) legally secure framework for transferring personal data to companies based in the U.S. Read here what you should pay attention to now.
What is the adequacy decision and why was it necessary?
According to the GDPR, personal data may only be transferred to countries outside the European Economic Area (EEA) if a level of data protection comparable to that in the EU is guaranteed in the third country. The EU Commission can determine such an adequate level of data protection in a legally binding manner.
In the past, the EU Commission has made use of this possibility for the USA in 2016 on the basis of the Privacy Shield agreement. However, in its “Schrems II” ruling from July 2020, the European Court of Justice (ECJ) declared this decision by the EU Commission null and void due to the extensive surveillance powers of state authorities, including in particular the U.S. intelligence services. The ECJ ruling resulted in considerable legal uncertainty. Even if a company agreed with its U.S. providers – as had been best practice since then – the EU standard contractual clauses updated in June 2021 and additional contractual or technical measures to protect the data processed, it could not be sure whether this would also be sufficient from the perspective of the data protection authorities and the courts.
This uncertainty has now ended (for the time being). After the EU Commission and the U.S. government had already concluded a new agreement in March 2022 with the EU-U.S. Data Privacy Framework (DPF), which provides additional rule-of-law guarantees for the benefit of affected EU citizens, the EU Commission adopted its new adequacy decision on July 10, 2023.
Does this elimnate the risks of data transfers to the USA?
Quite clearly: Yes and no.
The adequacy decision creates legal certainty for the time being, because it is legally binding for all institutions of the Member States, in particular also for the national data protection authorities and courts.
However, it is to be expected that sooner or later the ECJ will again address the issue of data transfers to the United States. Both the European Data Protection Authorities and the European Parliament have expressed considerable doubts about the effectiveness of the rule-of-law safeguards agreed with the U.S. government, so the outcome of future proceedings before the ECJ is open.
What should companies be aware of?
If you want to use U.S. providers to process personal data in the future, you should first check (e.g., here) whether the respective company is actually certified under the EU-U.S. Data Privacy Framework (DPF).
If this is the case, you still need to agree on a Data Processing Agreement (DPA) with the provider, but not necessarily the EU standard contractual clauses.
However, if the provider offers to additionally agree on the standard contract clauses, you should make use of this option for the following reasons:
- In relation to U.S. companies, the standard contractual clauses have the advantage of fulfilling the legal requirements for a Data Processing Agreement pursuant to Art. 28 GDPR. The DPAs of U.S. providers do not always ensure this.
- The standard contractual clauses may also be necessary because the U.S. provider shares your data with group companies or sub-processors in third countries other than the United States.
- The standard contractual clauses can serve as a fallback in the event that the ECJ should also invalidate the adequacy decision of July 10, 2023 in the future. Then you do not have to amend your contracts with the U.S. provider at short notice, and at the same time you prevent liability risks. Due to the already known points of criticism of the DPF, it cannot be ruled out that the data protection authorities or courts could take the position in the future that your company should not have relied on the continuity of the adequacy decision.
For existing contracts with U.S. providers, you should
- keep an eye on future changes to the terms of the contract, especially the DPAs
- and, if necessary, adapt your privacy statements, record of processing activities and cookie banners.
However, many of the protective measures you agreed with the U.S. provider against the background of “Schrems II” will continue to be useful in the future. For example, bring-your-own-key encryption protects not only personal data from access by U.S. authorities, but also your business and trade secrets.