EU-US Data Privacy Framework: What data exporters need to consider
The General Data Protection Regulation (GDPR) provides a high level of protection for personal data and applies in the EU member states as well as in the EEA states Iceland, Liechtenstein and Norway. To ensure that those responsible cannot circumvent the strict requirements of the GDPR by exporting data to third countries, i.e. countries outside the EU and the EEA, the GDPR contains special requirements for such third-country transfers. As one possibility, Art. 45 GDPR provides for a transfer to third countries on the basis of an adequacy decision by the EU Commission. This can determine by decision that a third country offers an adequate level of protection. If such an adequacy decision has been made, the transfer to third countries is generally permitted.
Third country transfers to the USA
With regard to the USA, there have already been two adequacy decisions, each of which has been declared invalid by the European Court of Justice (ECJ), particularly with regard to the extensive powers of the US intelligence services. Since the ECJ’s Schrems II decision, data exporters transferring personal data to the USA have faced significant challenges. In order to eliminate the resulting legal uncertainty, the EU and the USA have agreed on the EU-US Data Privacy Framework. On the basis of this, the EU Commission has issued a new adequacy decision, which came into force on July 10, 2023 and on the basis of which data transfers to the USA can take place.
Even if the EU Commission’s new adequacy decision leads to a significant simplification, special requirements must still be observed for third-country transfers to the USA. Against this background, the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) has now published application instructions for the EU Commission’s adequacy decision for the USA, which data exporters can use as guidance for their own third country transfers to the USA.
DSK application instructions
The DSK emphasizes that the adequacy decision is only of a sectoral nature. The decision does not cover all data transfers to the USA, but only those whose recipients are certified US companies. US companies can obtain certification from the Department of Commerce (DOC), which verifies compliance. If the check is successful, the US companies will be added to the Data Privacy Framework List. From this point on, companies can transfer personal data to the USA.
Data exporters must first ensure that the specific recipient in the USA is actually on the list. In addition, annual recertification is required. Data exporters in the EU must therefore regularly check whether the certification still exists. Explicit certification is required for employee data, which the DOC list also contains.
Two-stage test of legality
In its application instructions, the DSK provides for a two-stage examination of the legality of third-country transfers. Data exporters must first comply with the general legality requirements of the GDPR when processing personal data (level 1). In particular, there must be a legal basis for the processing and the transfer to third countries based on the Data Privacy Framework must be explicitly listed in the data protection information. In addition, data exporters must also guarantee the various rights of those affected under Chapter 3 of the GDPR. In addition, the requirements of the GDPR for permissible third-country transfers must then be adhered to and adequately documented (level 2).
The ECJ’s central criticism of the previous adequacy decisions was the lack of effective legal redress mechanisms. The Data Privacy Framework now provides for complaint options that certified US companies in the USA or the EU must provide. US companies can also meet this obligation by voluntarily agreeing to cooperate with EU data protection regulators. Certified US companies must set up their own legal redress mechanisms and provide information about another independent complaint body in their data protection information. The DOC also provides information about other available legal remedies as part of the Data Privacy Framework Program.
The new adequacy decision leads to more legal certainty. However, the DSK points out that a third country transfer to the USA is not permitted without prior verification. Data exporters must ensure compliance with the general requirements of the GDPR and observe the special requirements of the Data Privacy Framework. In particular, they must check whether the US data importers are certified before transferring them to third countries. In addition, the DSK points out the possibility of the ECJ revoking the adequacy decision again. The French parliamentarian Philippe Latombe has already filed a lawsuit against the adequacy decision with the ECJ as a private individual. The NOYB association has also already announced that it wants to take action against the adequacy decision. Although a repeal does not apply retroactively, data exporters for whom data transfer to the USA is vital should have emergency plans in place in order to be prepared in the event of another repeal by the ECJ.
To the home page
#EUUS #Data #Privacy #Framework #data #exporters