Update: DSK publishes application note on the transfer of personal data to the U.S.

After we already reported in detail on the new adequacy decision for data transfers to the USA (EU-US Data Privacy Framework) in our article of July 11, 2023, the data protection supervisory authorities are now also explicitly commenting on this topic. In its now published 32-page application note dated September 4, 2023, the Data Protection Conference (“Datenschutzkonferenz” - DSK) not only provides general information on the adequacy decision (e.g., on the certification mechanism), but also goes into detail on the new legal protection options for data subjects.

From our point of view, the most gratifying passage can be found in section IV, which deals with the transfer of personal data to the U.S. on the basis of other transfer instruments (such as standard contractual clauses):

"According to the EU Commission, all safeguards implemented by the U.S. government in the area of national security apply to all data transfers under the GDPR to U.S. companies, regardless of the transfer instruments used. Therefore, data exporters can use appropriate safeguards (Article 46 GDPR) in the context of data transfers to take into account the assessments made by the EU Commission in the adequacy decision for their transfer impact assessment."

In summary, this means that data transfers to the USA are now significantly less risky even if the data importer is not (yet) certified under the new adequacy decision.

It is nothing new for a data protection supervisory authority to comment so extensively on third-country transfers. The Bavarian State Commissioner for Data Protection in the Public Sector also published a comprehensive guidance document on international data transfers as early as May 2023 - even before the adequacy decision was issued.

Practical advice

Data transfers to the USA are currently possible without any significant risks. This is especially true if the data importer is certified under the new adequacy decision. However, the (continued) use of standard contractual clauses is also possible, whereby the current legal situation in the USA may and should be taken into account in the transfer impact assessment.

The data protection activist Schrems has already announced through his organization noyb that all appeals against the new adequacy decision will be filed. It is therefore impossible to predict whether and when the new adequacy decision will be "overturned" by the European Court of Justice. We therefore currently consider a "dual solution" to be a legally secure and long-term alternative. In addition to checking whether a data importer falls under the new adequacy decision, standard contractual clauses should continue to be used - especially if this does not involve any major additional effort. The transfer impact assessments carried out to date should also be updated accordingly. By maintaining such a double solution, companies are at least prepared for all further developments in the jungle of third-country transfers.

We will be happy to assist you with any questions you may have regarding data transfers to insecure third countries and how to deal with the new EU-US Data Privacy Framework.