New framework for data transfers to the US
The EU General Data Protection Regulation (GDPR) restricts the transfer of personal data outside the EEA unless there is a legal basis for the transfer, e.g., EU standard contractual clauses or binding corporate rules (BCR). As a result of the European Court of Justice’s decision of 16 July 2020 in the so-called Schrems II judgment, in which the previous Privacy Shield framework was declared invalid, it has been challenging for European companies to use US services that may involve the transfer of personal data to the US.
Since the EU and the US announced in March 2022 that they had agreed on the central principles for a new framework for data transfer, there has been great anticipation regarding the content of the framework and how quickly the new framework would be adopted. An important step towards the new framework was US President Joe Biden’s signing in October 2022 of a new Executive Order, and in December 2022 the European Commission published its draft adequacy decision. The draft has gone through the EU bodies’ procedure for adoption and the European Commission has now made its final formal decision. The adequacy decision will apply immediately.
The European Commission’s decision involves an assessment that there is a sufficient level of protection for personal data that is transferred from the EEA to US companies that have self-certified in accordance with the new framework. The framework contains binding guarantees to meet the concerns addressed by the CJEU. The framework entails, among other things, restrictions on US intelligence services’ access to personal data regarding citizens within the EEA, and the establishment of a Data Protection Review Court (DPRC). The DPRC provides individuals in the EU with access to an independent and impartial complaint mechanism regarding US intelligence agencies’ collection and use of their data. The DPRC will investigate and resolve complaints and will be able to adopt binding remedial measures.
The adequacy decision will only cover companies that are self-certified and listed on the Data Privacy Framework List. The list will be updated continuously.
For the transfer of personal data to companies that are self-certified pursuant to the requirements, the EU-US Data Privacy Framework will provide a legal basis for transfer. Thus, it is not necessary to establish another basis for transfer, to assess the level of protection for the transfer or implement additional measures. However, the general requirements in the GDPR still apply. For example, it may still be necessary to enter into data processing agreements or to carry out risk assessments relating to information security.
It is expected that the major US IT suppliers that have continued their participation in Privacy Shield will continue under the new framework.
For transfers to US companies that are not listed on the Data Privacy Framework list, there will still be a requirement for another legal basis for transfer (e.g. EU standard agreements or binding corporate rules (BCR)) and an assessment documenting that the transfer mechanism provides effective protection against US intelligence services.
However, the new adequacy decision means that the European Commission has already assessed that US legislation and practice are not problematic due to the measures under the new framework, and that additional measures are therefore not necessary. The guarantees that the US has introduced will also apply when data is transferred using other bases for transfer. This means it will be easier for EEA companies to make assessments related to transfers of personal data to the US, by relying on the European Commission’s assessments. The assumption is that the company to which personal data is to be transferred is not subject to laws beyond what is common for US commercial companies.
The new framework will be administered and monitored by the US Department of Commerce, while the US Federal Trade Commission will enforce US companies’ compliance with the rules.
The European Commission, together with representatives of European data protection authorities and competent US authorities, will regularly review how the new framework works in practice.
The first review will take place no later than one year after the adequacy decision entered into force, to ensure that relevant measures and obligations have been fully implemented in the US legal framework and that these are working effectively in practice.
It remains to be seen how the EU-US Data Privacy Framework stands for the future. NOYB and Max Schrems have already made it clear that they will challenge the validity of the framework in the European Court of Justice. NOYB has argued that the new framework is essentially a copy of the Privacy Shield, and that no major changes have been made in US legislation regarding European citizens’ rights. Max Schrems/NOYB expect the framework to be back at the European Court of Justice by the beginning of next year.
For the time being, however, the new framework will be a practically important legal basis for transfers to the US. There are also reasons to believe that the new framework will have an impact on complaints in Norway and the EU concerning the use of Google Analytics. In these cases, the view of the data protection authorities has been that Google Analytics involves transfers to the US in violation of the GDPR transfer rules.
Nye regler for overføring av personopplysninger til USA (Datatilsynet)
(In Norwegian only)
Link to article