International Data Transfers and Policies: EU Data Transfers to the U.S.
Publication | 05.14.24
On July 10, 2023, the European Commission formally adopted a new adequacy decision for the EU-U.S. Data Privacy Framework (DPF), which provides companies transferring personal data to the U.S. an additional mechanism to legitimize their cross-Atlantic data transfers. The DPF replaces the previously invalidated Privacy Shield and Safe Harbour framework. The DPF is in many ways a “Safe Harbour III” – mainly due to the way that organizations can adhere to it, how it is administered, and the way that its compliance is monitored. However, the legal framework in the U.S. did change to accommodate the requests from the EU and the concerns expressed in the CJEU’s Schrems I and II judgments (reflected in the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities of October 7, 2022 and regulations adopted by the U.S. Attorney General).
Under the General Data Protection Regulation (GDPR), personal data may be transferred from the European Economic Area (EEA)—which includes the 27 EU Member States as well as Norway, Iceland, and Liechtenstein—to a non-EEA country, if that country provides an adequate level of protection for the personal data.
The European Commission (EC) conducts the assessment of the country’s level of protection, and it is made concrete in a formal adequacy decision. The first time that the U.S. received such adequacy (still under the GDPR’s predecessor, the EU Data Protection Directive) was by the EC decision of July 26, 2000, which created the Safe Harbour framework.
In 2013, Austrian citizen Maximillian Schrems objected to his data being sent by Facebook Ireland to servers in the U.S., arguing that, in light of the 2013 revelations made by whistleblower Edward Snowden, personal data did not receive adequate protection in the U.S., despite of Facebook’s formal adherence to the Safe Harbour Principles. In its Schrems I judgment, the CJEU invalidated the Safe Harbour mechanism. On July 12, 2016, the EC replaced the invalidated framework with a new one, the EU-U.S. Privacy Shield. A follow-up complaint from Schrems targeting the validity of the SCCs resulted in an invalidation of the Privacy Shield framework (but not of the SCCs).
A result of the Schrems II judgment was that organizations need to carry out a data transfer impact assessment when using appropriate safeguards such as the SCCs, where the specific data transfers at hand need to be assessed in detail. While completing such an impact assessment was already made easier thanks to changes in the U.S. legal framework (which benefit all data transfers under the GDPR, including those covered by SCCs), having access to a new framework where such assessment is not required represents a victory for trans-Atlantic data transfers.
To rely on the new framework, companies will undergo a self-certification process, as detailed on the U.S. Department of Commerce’s new Data Privacy Framework website. Certified companies will commit to a set of privacy obligations without needing to put in place additional safeguards or conduct additional impact assessments. While it seems that Schrems and others have already confirmed that they will challenge this new compliance framework, it does, for now, provide a solid legal basis for cross-Atlantic data transfers, which is a more than welcome breath of fresh air for the digital economy.
*Former Crowell attorney Christiana State contributed to this article.