Breakthrough for data transfer to the USA - EU Commission adopts adequacy decision

What’s been all over town in recent days (we reported, Update on transatlantic data transfer - USA does homework and EU is close to adopting adequacy decision - SKW Schwarz) was officially announced yesterday. The EU Commission adopted its adequacy decision for the new EU-US privacy framework (EU-US data traffic: European Commission adopts new adequacy decision (europa.eu)). It confirms that the US ensures an adequate level of protection for personal data. This will significantly simplify data transfers to US companies in the future. However, US companies to which data is to be transferred on the basis of the adequacy decision, must first obtain certification in the USA.

Certification is to be carried out via the website operated by the US Department of Commerce, https://www.dataprivacyframework.gov/s/, which is not yet live. It can be assumed that most US companies receiving data from Europe will seek these certifications in the coming weeks. An updated list of certified and formerly certified companies (with reasons for removal) will be posted on the above-mentioned U.S. Department of Commerce website. Certification must be updated annually.

All previous legal bases for data transfers to the U.S., such as standard contractual clauses, will remain effective and required until the U.S. company receiving the data is certified. Data transfers from the USA to subcontractors in other third countries are also not covered by the adequacy decision. In this respect, alternative legal bases are required (e.g. standard contractual clauses). In addition, companies will continue to have to do their homework in terms of data protection law; in particular, they will have to know their data flows precisely and document them ("Know your data transfers"). If data transfers are based on the adequacy decision in the future, contracts and data protection notices must be adapted accordingly (see below, Practical tips).

Max Schrems has unsurprisingly already announced that he will also take legal action against the new EU-US privacy framework and has published a statement (European Commission gives EU-US data transfers 3rd round at ECJ (noyb.eu)). Schrems assumes that the matter will end up before the ECJ again as early as the beginning of 2024 and even considers a temporary suspension of the EU-US privacy framework to be possible.

Important practical tips for companies that want to base data transfers on the adequacy decision in the future are:

• Check certification of the U.S. company under the new EU-US privacy framework and have it verified.
• Review data flows, especially to see if subcontractors are used in other third countries (in which case the adequacy decision alone is not sufficient)
• Adapt data protection impact assessments, especially with regard to the risk assessment in connection with the third country transfer
• Adapt data protection contracts and privacy notices (including on website).
• Update the record of processing activities.

We will support you in implementing the above measures and keep you up to date with regard to further developments, including certifications of relevant US providers known to us.