EU: GDPR: European Commission adopts new adequacy decision for EU-US data transfers
On 10 July, the European commission adopted its adequacy decision for the EU-US Data Privacy Framework. The decision states that the US offers an adequate level of protection (similar to the protection offered by the GDPR) for personal data transferred from European to US companies under the new framework. This decision is particularly important for US multinational enterprises which would e.g. transfer HR data form their European seats to the US. However, it remains unclear whether it will survive the scrutiny of the Court of Justice of the European Union (CJEU).
The GDPR requires data protection safeguards before you can transfer personal data outside of the EU. This can be a very complicated process, that’s why the GDPR grants the Commission the power to adopt an adequacy decision if it is of the opinion that a third country offers a similar protection. In the case of the US, a first adequacy decision called “Safe Harbor” was already adopted in 2000. The CJEU invalidated this decision in the Schrems I case (C-362/14) in 2015. A second adequacy decision called “Privacy Shield” was adopted by the Commission in 2016, but again this decision was overturned by the CJEU in the Schrems II case (C-311/18) in 2020. There is no doubt that the new adequacy decision will also be attacked before the Court, as the main concern is still there: the invasive US surveillance laws which are used by the US intelligence services to gain access to all data.
In principle, companies who follow the new Trans-Atlantic data privacy framework should be able to transfer data without taking additional safety measures. The new framework means that companies will need to comply with a detailed set of privacy obligations, e.g. the obligation to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure enforcement of data protection rules within the US. This means that EU individuals can take several redress measures in case their data is handled wrong by US companies. In order to cope with the arguments of the CJEU against the previous adequacy decisions, the US legal framework was amended in order to provide for a number of safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security. EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC).
For now, the new adequacy decision will be a relief to many companies with trans-Atlantic interests, but it remains unclear whether this decision will be able to hold under the scrutiny of the CJEU.
Take Aways
- Transferring personal data from the EU to the US should become easier as there are now specific guidelines on how this can be done.
- This includes HR data regarding the staff of e.g. multinationals.
- Companies will need to comply with the Trans-Atlantic data privacy framework and take adequate measures.
- However, the two previous adequacy decisions were annulled by the CJEU, and it remains a serious risk that the third EU-US adequacy decision will suffer the same fate.