Find out today what the legal world will be talking about tomorrow.
No more risks when transferring data to the USA?
Data transfer to the USA continues to be a difficult issue for data subjects and European supervisory authorities. Data transfer to the U.S. is associated with great uncertainty, particularly due to the far-reaching powers of U.S. authorities, and poses major challenges for companies.
However, hopes are currently growing for a transatlantic data protection agreement with the EU. On October 7, 2022, U.S. President Joe Biden signed a new executive order, the Executive Order "on Enhancing Safeguards for United States Signals Intelligence Activities," which is intended to create a new legal framework for data transfer to the U.S. and thus open a new chapter on data transfer to the U.S.
The Executive Order is a regulation of the US government, which is binding for US authorities. It provides for regulations that are intended to implement the requirements of the European Court of Justice in the Schrems II ruling of July 16, 2020 (Case C 311/18) (cf., our website article). The aim of this regulation is to ensure legally secure data transfers between the U.S. and the EU.
Specifically, the Executive Order contains the following regulations:
On the one hand, binding guarantees are to be assured for the first time that limit U.S. intelligence activities to a certain level. Access to the personal data of EU citizens should only be possible if this is necessary for national security and the interference is proportionate. In addition, mandatory procedures should be established for U.S. intelligence agencies to ensure effective monitoring of the new standards for the protection of the privacy of EU citizens. Furthermore, the introduction of a redress system is also planned, which for the first time will guarantee EU citizens an independent and binding review of their rights. This is a two-stage procedure: At the first stage, EU citizens will be given the opportunity to lodge a complaint with the “Director of National Intelligence”, which can then be reviewed at a second stage by the newly created independent “Data Protection Review Court”.
The Executive Order is based on an agreement in principle between the EU Commission and the USA:
After long negotiations, it was announced in a joint statement on March 25, 2022, that the EU and the U.S. have agreed on a new transatlantic data protection agreement, the so-called Trans-Atlantic Data Privacy Framework (TADPF). According to the Commission, this is intended to provide a permanent basis for transatlantic data traffic and to protect the rights of citizens.
Now it is the EU Commission's turn: The decisive factor for the implementation of this new regulation is the adoption of an adequacy decision by the EU Commission, which stipulates that the USA offers an adequate level of data protection in line with the DS-GVO. However, it will be some time before this happens. The decree is not expected to be issued for another six months. In this respect, there will be no legal certainty for data transfers to the USA until such an adequacy decision has been issued.
Until then, companies should continue to pay attention to the application of transfer mechanisms, such as the conclusion of standard contractual clauses ("SCC") or the implementation of Binding Corporate Rules ("BCR"), as well as the performance of a risk assessment, so-called Transfer Impact Assessment ("TIA"). However, the Executive Order can be used and taken into account as part of the risk assessment as an improvement of the level of data protection in the USA.
Against this background, it is essential to note the following:
As of December 27, 2022, data transfer to third countries may only take place on the basis of the new standard contractual clauses - issued by the EU Commission in June 2021. After this deadline, all old clauses will lose their effectiveness, which is why there is a risk of heavy fines and claims for damages if they are used. For this reason, companies should urgently review their existing contracts to determine whether they still contain the old standard contractual clauses. If this is the case, we recommend taking the necessary steps to replace the old standard contractual clauses with the new EU standard contractual clauses in view of the imminent expiry of the deadline.
Overall, it remains to be seen whether the New Transatlantic Agreement will stand up to the European level of data protection. In any case, it can be assumed that the Transatlantic Agreement will sooner or later end up before the European Court of Justice for legal review.
SKW Schwarz has been advising numerous companies of all sizes on data transfers to third countries for many years. Do not hesitate to contact us if you have any questions or if your company needs support in converting your old contracts to the new standard contractual clauses.
Marwah Kamal, Associate, SKW Schwarz
Franziska Ladiges, Counsel, SKW Schwarz
Nikolaus Bertermann, Partner, SKW Schwarz