On July 10, 2023, the EU Commission announced that it had issued an adequacy decision for the US. An adequacy decision simplifies the transfer of personal data to a third country, i.e., a country outside the EU. Data transfers to third countries are generally associated with high hurdles, as the level of data protection applicable therein often does not meet the strict standards of the GDPR. In particular, the level of data protection in the U.S., which has national laws providing supervisory authorities with significant access rights, has in the past been judged not to be equivalent to that in the EU. The EU's two previous attempts to reach data protection-compliant agreements with the U.S. failed before the European Court of Justice (ECJ): both the ›Safe Harbor‹ and the ›EU Data Privacy Shield‹ agreement were both declared ineffective in the infamous Schrems I and II decisions.
Good Things Come In Threes?
We reported on the new beacon of hope, the ›Trans-Atlantic Data Privacy Framework‹ or the ›EU-US Data Privacy Framework‹, in our blog post in May 2023. The draft published then was heavily criticized by the EU Parliament, which was of the opinion that the efforts of the US government would not be sufficient to create an equivalent level of protection. In particular, it argued that the rights of EU citizens had not been put on an equal footing with those of U.S. citizens and that the risk of mass surveillance by U.S. authorities had not been eliminated.
Who is covered by the EU-US Data Privacy Framework?
The EU Commission did not address the EU Parliament's concerns but issued an adequacy decision on July 10, 2023. However, this does not mean that all data transfers to the U.S. are now simply permitted, rather U.S. companies must actively join the EU-US Data Privacy Framework through voluntary self-certification.
Companies that are subject to the investigatory and enforcement powers of the Federal Trade Commission (the ›FTC‹), the U.S. Department of Transportation (the ›DOT‹), or another agency that effectively ensures compliance with the principles are eligible to join. In order to accede, companies must publicly commit to comply with the EU-US Data Privacy Framework Privacy Principles and publish their privacy policies consistent with the EU-US Data Privacy Framework. Once joined, companies will be required to comply with the EU-US Data Privacy Framework. A list of participating companies is to be published by the U.S. Department of Commerce. A ›blacklist‹ is also envisaged, listing the companies that have joined but have been removed again for non-compliance.
Interesting for employers: If a company decides to process personal data from HRIS systems based on the EU-US Data Privacy Framework, this must be explicitly reported to the U.S. Department of Commerce and compliance with the requirements of the EU-US Data Privacy Framework must be confirmed.
Against the background of the fierce criticism so far, it is not surprising that the ›NOYB - European Center for Digital Rights‹, whose founder is Max Schrems, has already announced that the EU-US Data Privacy Framework will be subject to review by the ECJ. It therefore remains to be seen whether the EU-US Data Privacy Framework will meet the fate of its predecessors.
The ›Trans-Atlantic Data Privacy Framework‹ - Finally a legally secure data transfer to the USA?
- May 2023
EU Commission issues an adequacy decision for the US
- July 2023