Since the ECJ's Schrems II decision on July 16, 2020, many economic actors have been in a phase of legal uncertainty regarding third country transfers to the US. During this time, we have actively supported our clients and helped to make the transfer of personal data to the US legally compliant, despite the existing legal challenges.
In the absence of an adequacy decision, data transfers were possible only if the Commission-mandated third-country SCCs were used, an additional (positive) transfer impact assessment (TIA) was conducted, and other additional safeguards could be demonstrated.
This extensive and sometimes complex review, combined with considerable legal uncertainties, has come to an end (at least for the time being) on July 10, 2023. The Commission has announced a new adequacy decision for data transfers to the USA, the "EU-US Data Privacy Framework".
This new agreement certifies an adequate level of data protection in the U.S., which eliminates the previously required case-by-case risk assessment (TIA). Crucial to this acceptance by the Commission were various legal adjustments to U.S. surveillance law made after the Schrems II ruling.
Core changes to U.S. surveillance law
Introduction of Executive Order 14086 - Emphasis on the Principle of Proportionality
In the Schrems II decision, criticism focused in particular on the far-reaching access powers of U.S. intelligence agencies to personal data of non-U.S. citizens under Sec. 702 FISA. This regulation enabled mass surveillance of foreign citizens, which was judged disproportionate by the ECJ. In order to ensure the principle of proportionality pursuant to Art. 52 CFR, the access rights of the U.S. intelligence services will henceforth be more restricted and limited to a necessary level by the "Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities" ("EO-14086") of October 7, 2022.
Reorganization of the legal protection mechanism
Another major criticism of the former Privacy Shield was the ombudsman mechanism. The ECJ ruled that it did not offer sufficient legal protection. In particular, it criticized the lack of independence and the inability to issue binding regulations against intelligence services. In response, a special data protection court, the Data Protection Review Court, was established. This court is intended to give EU citizens the opportunity to take action against potential data protection violations. However, since it is subordinate to the U.S. Department of Justice, there are concerns about its actual independence and whether it meets the requirements under Art. 47 CFR.
Criticism of the innovations: Renewed rejection by ECJ to be feared?
Already during the development phase of the amended U.S. surveillance law, critical voices were raised from various corners. With the adoption of the new adequacy decision, data privacy activist Max Schrems in particular came forward and voiced his concerns. His comment sums it up:
A major point of criticism by many experts and data protectionists lies in the fact that Sec. 702 FISA, which enables mass surveillance, has remained unchanged in its core structure. The data protection organization NOYB, for example, assumes that the problems associated with Sec. 702 FISA will continue to exist even after EO-14086 is implemented. A key factor here is the different interpretation and application of the principle of "proportionality" in the U.S. compared to the EU.
Against this background, it seems likely that the ECJ will re-examine the regulations in the near future.
Maintenance of the self-certification principle
As a result of the revised legal framework, the transfer of personal data to the U.S. is now considered secure, provided it is directed to an appropriately certified company.
This means maintaining the principle of self-certification. Companies wishing to participate in the Framework must commit to complying with a defined set of data privacy principles and standards. These criteria have been defined by the US Department of Commerce.
The obligations include, among other things, that the companies submit to the investigative and enforcement powers of both the Federal Trade Commission (FTC) and the U.S. Department of Transportation (DoT). It is also required to implement a privacy policy that conforms to the principles set forth in Annex 1 of the Adequacy Decision. The Department of Commerce regularly monitors compliance with these provisions (compliance monitoring). In the event of repeated violations, there is a risk not only of civil sanctions, but also of exclusion from the Privacy Framework.
Does the Privacy Shield certification also apply to the new Data Privacy Framework?
Companies that were already certified under the Privacy Shield do not need to recertify themselves to participate in the DPF.
According to a notice from the International Trade Administration (ITA), these companies' participation in the DPF will automatically continue. However, they must update their privacy policies to comply with the DPF's amended principles by October 10, 2023.
These companies must renew their certification annually in accordance with DPF regulations, as of their current recertification date. Companies that were certified under the Privacy Shield but do not wish to participate in the DPF must formally opt out in accordance with the ITA withdrawal procedure.
It is important to note that failure to complete the annual recertification process does not terminate the Company's participation or obligations. Even after completing the formal withdrawal process, the Company must continue to comply with the applicable Privacy Shield/DPF Principles with respect to personal data received under these programs.
Companies not already certified under the Privacy Shield can begin the DPF self-certification process as of July 17, 2023, as indicated on the official DPF website (http://www.dataprivacyframework.gov/). It should be noted that companies must comply with the DPF requirements before submitting their self-certification.
How to deal with the new adequacy decision?
Despite the prevailing criticism, the newly adopted Privacy Framework lets many companies breathe a sigh of relief for the time being. Because when data is transferred to a certified company, this can now happen WITHOUT the use of special third-party SCCs, without TIA and without additional measures. This means that extensive audits are no longer necessary for the time being.
In view of the profound criticism, however, we recommend that existing SCCs be retained and not dissolved. A renewed legal review of the adequacy decision by the ECJ seems to be only a matter of time, and its outcome remains uncertain. It is important to note that SCCs and TIAs remain required for data transfers to U.S. companies that are not certified, as well as for transfers to other third countries.
Practical application examples for companies
Scenario 1: data transfer between two EU companies
Question:
Are SCCs and a TIA required in this context?
Answer:
No - for data transfers within the EU, Articles 44 et seq. GDPR are not applicable. Therefore, there is no need for SCCs or a TIA. A classic order processing agreement pursuant to Art. 28 (3) GDPR is sufficient - even if the data transfer is to a European subsidiary of a US group.
Justification:
The GDPR applies in all EU Member States, ensuring a uniformly high level of data protection throughout the EU. Companies located in the EU are therefore obliged to comply with the GDPR. Therefore, SCCs and a TIA are not necessary in this context.
Scenario 2: data transfer from an EU company to a certified US company
Question:
Are SCCs and a TIA required in this context?
Answer:
While the use of SCCs is not mandatory, we still recommend their use. A TIA, on the other hand, is not required.
Justification:
According to the EU Commission's adequacy decision, an adequate level of data protection now applies to certified companies in the USA, making a TIA unnecessary. However, as the validity of this decision will be reviewed by the ECJ in the near future, there is some legal uncertainty. We therefore advise continuing to integrate SCCs in the order processing contract as a safeguard.
Scenario 3: Data transfer from an EU company to a non-certified US company
Question:
Are SCCs and a TIA required in this context?
Answer:
Yes, both SCCs and a TIA are mandatory in this case.
Substantiation: The adequacy decision only facilitates data transfers to certified companies in the USA. For non-certified companies, the previous handling of data transfers remains unchanged.
Scenario 4: Existing order processing contract with a US company
An order processing agreement including SCCs has already been signed and a TIA has already been carried out.
Question:
Do additional steps need to be taken to ensure the legality of the data transfer?
Answer:
No, the data transfer on the basis of the existing contract is still legally compliant. No further steps are required.
Justification:
The data transfer is still based on the legal basis of Art. 28 GDPR. Through the integration of SCCs and the implementation of a TIA, the requirements of Art. 44 et seq. GDPR are complied with. In view of potential uncertainties regarding the future existence of the adequacy decision, it would be advisable not to make any hasty decisions regarding the discarding of these measures.