On July 10th, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to U.S. companies participating in the EU-U.S. Data Privacy Framework.
Under the General Data Protection Regulation, transferring personal data to a third country is only allowed under the conditions specified in Chapter 5.
This means that if you, as a company that operates in the EU or offers services to the EU, would like to transfer personal data to a third country (and yes, access to data is also considered a transfer), you can do it only if:
- That country has been recognized as an “adequate” country.
It’s kind of like a gold star that says, “This country has rules in place to protect personal data that are at the same level as those in the EU.” If a country has an adequacy decision, personal data can be transferred there without you needing to adopt any additional safety measures.
Here’s a list of the countries that are currently recognized as “adequate”: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Korea, Switzerland, the UK, and Uruguay.
- If a country outside the EU isn’t recognized as “adequate,” your business has to adopt additional safety measures, called “appropriate safeguards,” to transfer personal data.
Here is a list of the common ones:
- Standard Contractual Clauses (SCCs): These are pre-approved contracts from the EU that businesses can use and need to be adopted in their standard language (meaning you can’t change the terms). They contain strong commitments from the data sender and receiver to protect personal data.
- Binding Corporate Rules (BCRs): These are internal rules adopted by multinational companies (or a group of companies) and approved by the EU. However, the process of receiving approval is not an easy one, and therefore, not many companies have them.
- Codes of Conduct and Certifications: These are kind of like rulebooks or badges developed by industry or sector groups that companies can choose to follow or earn. They must meet EU standards and be approved by data protection authorities.
- Derogations: These are special exceptions that allow data transfers in certain situations without any of the above safeguards. For example, they can be used when you give explicit consent or when the transfer is necessary to fulfill a contract between you and the company (like booking a hotel in a non-EU country).
The History of Data Transfers Between The EU And The US
Transferring personal data from the EU to the US has a long and complex history. There are a number of reasons for this, but one of the more significant ones relates to US surveillance laws such as the Foreign Intelligence Surveillance Act (FISA), where government authorities have access to records of US companies (Facebook, Google, etc.), which are also processing data of Europeans, and therefore does not align with GDPR requirements.
In order to allow data transfers between the EU and the US, a framework was agreed on between the sides, called the Safe Harbor framework, with the intention of resolving the differences in data protection standards. The framework allowed US companies to obtain a certificate that they comply with certain privacy principles in order to legally transfer personal data from the EU to the US.
This is where Max Schrems, an Austrian privacy activist, enters the picture. He challenged the Safe Harbor framework through the European Court of Justice (ECJ), arguing it didn’t provide enough data protection because it did not sufficiently solve the issue of US surveillance laws. The ECJ agreed with him and declared Safe Harbor invalid in 2015. After Safe Harbor was declared invalid, the EU and US came up with a new framework called Privacy Shield, which again was meant to ensure that EU citizens’ data would be protected in the US. But guess what? Schrems wasn’t satisfied with this either. He challenged it, and in 2020 the ECJ invalidated the Privacy Shield as well (AKA “Schrems 2”).
Did you know? Max Schrems founded the non-profit organization NOYB (None of Your Business). NOYB advocates for digital rights and data protection, taking legal actions and leading campaigns to hold tech companies accountable for privacy violations.
The new EU-US Data Protection Framework
You’d think the sides would have had enough at this point, but given the vast amounts of data transferred between the countries, the US and EU drew up a third framework which was approved about a month ago.
The goal is to make it easier for EU companies to transfer data to the US and use US vendors. The US has pledged to curb intelligence activities, establish a data protection review court, and offer a platform for addressing key concerns raised in the previous “Schrems 2” decision, hoping that they will be sufficient and withstand the scrutiny of the ECJ when the framework (inevitably) will be challenged again (“Schrems III” anyone?).
What does this mean for you?
It is important to understand that the framework does not apply automatically to any US company; some conditions must be met. The new framework requires companies to obtain a certificate similar to the one needed for the Privacy Shield framework.
If your company was certified for Privacy Shield (which was invalidated as mentioned above), you can become certified for the new framework as well. You have until October 11th to decide whether to renew your certification (unless your renewal date is sooner).
If you’re a US-based company or working with US-based vendors, participating in the new framework and getting the certification has several perks, such as removing the need for you to certain “additional safeguards,” such as conducting transfer impact assessments (TIAs).
The framework doesn’t create substantive new obligations for certified organizations but does require a thorough review of data transfer strategies and privacy policies for both re-certifying and those just joining.
If your company was not certified through Privacy Shield, you would have to start the certification process or continue using the other transfer options, such as the EU Standard Contractual Clauses (SCCs), any time you’re transferring personal data from the EU to the US.
Please note that companies in certain sectors, such as health, finance, and non-profit organizations, can’t join the new framework.
As good as this may all sound, from our experience, it is recommended to still rely on an additional mechanism in addition to the new framework (such as SCCs) since this new framework will most likely be challenged in court again and having to retroactively adopt another mechanism with all your customers and vendors is quite a nightmare.
Still confused? Here’s a simple flow:
Wrapping it all up, based on the past, we’d suggest not getting too excited about the new EU-US Data Privacy Framework just yet. It doesn’t mean you shouldn’t join the club or use it as a transfer mechanism. It just means that you should be cautious and consider also relying on additional transfer mechanisms that have passed the test of time, like Standard Contractual Clauses (SCCs). This pragmatic approach ensures that your organization is well-prepared, no matter how the data privacy landscape may evolve.
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.