European Commission declares the USA safe for data protection
On 10 July 2023, the European Commission published a Appropriateness decision which the USA or commercial organisations participating in the "EU-US Data Protection Framework" (original title: "EU-US Data Privacy Framework"), in the list of countries with an adequate level of protection for personal data. This new adequacy decision is an important development for European companies that transfer personal data to the US or work with US organisations.
The background to the adequacy decision is the Schrems II judgement of the European Court of Justice (ECJ). To counteract the concerns of the ECJ, the new "EU-US data protection framework" was introduced.
About the author
Dr Marija Stambolieva
Senior Consultant Compliance Management, Information Security, Data Protection & AI Officer
About the author
Dr Marija Stambolieva
Senior Consultant Compliance Management, Information Security, Data Protection & AI Officer
European Commission declares the USA safe for data protection
On 10 July 2023, the European Commission published a Appropriateness decision which includes the USA and commercial organisations participating in the "EU-US Data Privacy Framework". the list of countries with an adequate level of protection for personal data. This new adequacy decision is an important development for European companies that transfer personal data to the USA or work with US organisations. The background to the adequacy decision is the Schrems II judgement of the European Court of Justice (ECJ). The new "EU-US Data Protection Framework" was introduced to counteract the concerns of the ECJ.
In focus: New EU-US data protection framework
The data protection framework contains Guaranteesto ensure that the US intelligence services' access to data on the necessary and proportionate is restricted to a certain extent. Individuals whose data has been transferred to the USA also have access to a two-stage appeal procedure against US surveillance measures.
US organisations wishing to participate in the "EU-US Privacy Framework" must comply with a set of data protection principles. In order to confirm compliance with the principles contained in Annex I of the adequacy decision, participating organisations must US organisations of self-certification which must be renewed annually.
What impact does this decision have on you as the person responsible?
Data transfer to the USA:
The adequacy decision came into force on 10 July 2023 and is valid indefinitely. From this date, you can transfer personal data from the EU to US companies or organisations that participate in the "EU-US data protection framework" without having to introduce additional data protection guarantees.
Audit of the US organisations:
However, before transferring data, you should ensure that the US organisations to which the personal data is to be transferred are on the list of the US Department of Commerce. These organisations have committed to comply with the data protection principles set out in the Framework and have been deemed adequate.
Data protection mechanisms still in place:
All safeguards introduced by the US government will continue to apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. You can therefore continue to use standard contractual clauses or binding corporate rules to transfer data securely.
Utilisation of Microsoft technologies:
Microsoft Corporation and affiliated companies participate in the data protection framework programme. If you use Microsoft technologies, this is also covered by this scheme.
What are the residual risks?
Despite these positive developments, you should be aware of the residual risks. The implementation of the adequacy decision could be contested in practice. In view of the fact that the civil society organisation "noyb" has already announced its support for such has announced complaintsit is not unlikely that a complaint will be lodged with the ECJ.
Two possible scenarios can provide more clarity in the future:
1 First review by the European Commission: The European Commission will review the adequacy decision within one year of its entry into force. A favourable assessment could provide additional legal certainty.
2nd decision of the European Court of Justice (ECJ): If an action is brought before the ECJ, a final decision by the court could provide clarity on the legality of the adequacy decision.
What could your next steps be?
It is advisable to Developments in relation to the adequacy decision and other information in the data protection landscape. to keep an eye on.
The adequacy decision provides some relief for companies and demonstrates the endeavour to Data protection at international level to strengthen it. Other obligations under the GDPR still apply. Appropriate technical and organisational measures (TOMs) or the implementation of a data protection impact assessment (DPIA) also help to protect personal data.
Do you have any questions?
If you have any questions about this or would like support with data protection requirements, please contact us.