The legetimicy of international data transfers to the US has preoccupied us for several years now. In November, we last reported in our newsletter on the announcement of a new adequacy decision by the EU Commission.
According to the GDPR, personal data may only be transferred from the EU to third countries under certain conditions. The focus is on compliance with a level of protection established by the GDPR. Further, data protection provisions of the recipient state, legal protection possibilities and the role of data protection supervision are taken into account.
An adequacy decision, such as the one announced for the US, certifies that a third country provides the level of protection. Adequacy decisions already exist for a number of countries, such as Israel, Japan and the United Kingdom. Personal data can be transferred to these countries without further requirements.
In December, the European Commission announced that it planned to adopt a new adequacy decision for the United States.
On 13th December 2022, the EU Commission published the draft for this new adequacy decision, which should once again enable legally secure data transfers from the European Union to the United States.
Accordingly, the United States guarantees an adequate level of protection for personal data transferred from the EU to US companies under certain conditions. This is the conclusion reached by the EU Commission in its review after the US government had issued corresponding administrative instructions (“Executive Order”).
What does it mean for companies
It is likely that European companies will be able to openly transfer EU user data to US-based service providers from the third quarter of 2023.
The foundation would be a third data protection agreement between the EU and the USA – after the two unsuccessful framework agreements “Safe Harbour” and “Privacy Shield”, both of which were overturned by the European Court of Justice after lawsuits by the Austrian data protection activist Max Schrems.
We expected that activists will try to challenge the upcoming decision in court again. There is a significant risk that the new adequacy decision could only be momentary. Accordingly, the European Court of Justice could overrule it again until a substantial amendment to either the GDPR or the US surveillance laws is finally adopted.
For this reason, we assume that EU companies will at least exercise some caution when transferring data to the US until the ECJ has made a final decision on the new adequacy decision.
We will keep you informed about new developments, including the exact timetable for the proposed scheme.