Good news from Brussels: the “Trans-Atlantic Data Privacy Framework” has arrived!
What is the Trans-Atlantic Data Privacy Framework?
The “Trans-Atlantic Data Privacy Framework” is an agreement between the United States and the European Union. In this agreement, the parties have adopted certain mechanisms that serve to ensure an adequate level of data protection for citizens of the European Union when their personal data is processed in the United States. Based on the Trans-Atlantic Data Privacy Framework, the European Commission issued a so-called “Adequacy Decision” on July 10, 2023.
What is an “Adequacy Decision”?
An “Adequacy Decision” is a legal instrument provided for in Article 45(3) GDPR that legitimizes data exports from the European Union to third countries. If such an “Adequacy Decision” exists for a specific country, the transfer of personal data to that third country is permitted without further ado.
And now, we have an “Adequacy Decision” for the US?
Yes, exactly.
Hasn’t there been something like this before? And why is it important?
Yes, this is not the first “Adequacy Decision” with regard to the USA. In 2015, the European Commission had already issued an adequacy decision once, based on the then-current “Privacy Shield” agreement between the European Union and the USA.
However, with the “Schrems II” ruling, the ECJ declared this previous “Adequacy Decision” unlawful in July 2020. Since this date, data exports from the European Union to the USA have been problematic, as they were only permitted when employing specific other legal instruments – specifically the so-called “Standard Contractual Clauses” as per Article 46 (2) (c) GDPR. This was challenging in particular with regards to the use of US-based IT-services, as the use of these regularly involves an export of data. With the new adequacy decision, these problems no longer apply, and data exporters can now again rely on Article 45 (3) GDPR. Accordingly, the application of such US-based IT services will be much easier than the past three years.
What else do I need to consider?
The adoption of the “Adequacy Decision” paves the way to easier data exports on our side of the Atlantic. However, for a German company to be able to rely on the “Adequacy Decision”, the recipient of the data export in the USA must first submit to the provisions of the “Trans-Atlantic Privacy Framework”: the recipient of the data export in the USA must make a binding commitment in the U.S. to comply with the detailed data protection obligations arising from the “Trans-Atlantic Privacy Framework”.
European companies wishing to legitimize their data exports to the USA with the help of the new “Adequacy Decision” must therefore check whether their partners in the USA are certified accordingly. However, it can be assumed that companies in the USA will quickly seek and obtain certification.
And finally: of course any processing of personal data needs a legitimate basis, still. The “Adequacy Decision” eases issues raised for data exports, but does not relieve a processor of its further legal duties with regards to processing of personal data.
Any questions?
Please do not hesitate to contact us.