With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.
Background
Based on the adequacy decision that preceded the new EU-US Data Privacy Framework, the so-called Privacy Shield, adopted in 2016, US companies could register under the Privacy Shield and once they did so, the European Commission recognised that the US provided adequate protection for personal data transferred to such companies. This meant that no additional safeguards were needed for data transfers to such companies.
However, the CJEU, in the 2020 Schrems II judgment, invalidated the Privacy Shield stating that US laws did not provide adequate protection, in particular, due to the excessive rights of the national security organisations and lack of appropriate legal remedies.
In the absence of the adequacy decision, parties making such transfers should have applied a complex set of rules providing other additional safeguards, most commonly the standard data protection clauses adopted by the European Commission.
However, following the negotiations between EU and the US, the US passed a legislation aimed at addressing the problems identified in the Schrems II judgment.
EU – US Data Privacy Framework
After the above-mentioned legislation, the European Commission concluded that the US now ensures an adequate level of protection for personal data transferred from the EU to companies participating in the EU-US Data Privacy Framework.
The Commission has based its decision on the following.
The Framework, by adopting new set of rules and binding safeguards, limits access to EU data by US intelligence services to what is necessary and proportionate.
Moreover, the new Framework provides access for EU citizens to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC).
Based on the above, personal data can be transferred to US companies participating in the EU-US Data Privacy Framework without being subject to any further conditions or authorisations. Consequently, the transatlantic data transfers may be based on solely on the Framework, instead of the currently used standard contractual clauses.
Certification of the US companies
It is noted that to participate in the Framework, US companies, shall, of course, comply with Framework, and, similar to the previous Privacy Shield, make a certification application to be added to the “Data Privacy Framework List”.
Once the US organisation are placed in the above-mentioned List, it can receive personal data on the basis of the Framework.
Moreover, US companies, who are already registered in the previous Privacy Shield, can rely immediately on the Framework but they shall also take actions to comply with the new Framework until 10 October 2023, for instance, they need to update their privacy policies.
Summary
After the invalidation of the Privacy Shield, the situation for companies that transfer a personal data to the US has become more difficult, as companies should apply specific data protection clauses to each transfer to the US.
However, the recently adopted EU – US Data Privacy Framework remedied the problems identified in the Schrems II judgment, subsequently, according to the European Commission, the US now provides the effective legal protection as well as the right to an adequate judicial remedy for those whose personal data are made available to US national security organisations.
The adoption of Framework significantly makes it easier to transfer personal data from the EU to the US, as a certified US company can receive personal data from the EU solely based on the Framework instead of the currently used standard contractual clauses.
However, it is noted that US companies, can only use the Framework if they apply for certification and they are added to the Data Privacy Framework List.
Those US companies, who are already registered in the previous Privacy Shield, are in a better position as they can rely immediately on the Framework, but they shall also take actions to comply with the new Framework until 10 October 2023.
By Peter Korozs, Junior Associate, SmartLegal Schmidt & Partners