On 16 July 2020, we started one of our Client Alerts as follows:
“At 9:30 a.m. Central European Time, privacy professionals around the world were refreshing their browsers to read the long-awaited judgment of the Court of Justice of the European Union (CJEU) principally addressing the viability of Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield (Privacy Shield) as means to transfer personal data from the European Union (EU) to the United States (U.S.).
When the judgment arrived, it landed with a bang: though the CJEU upheld the use of SCCs, it invalidated the Privacy Shield, the well-known mechanism to transfer personal data from the EU to the U.S. The decision also cast doubt on the viability of other options, including SCCs, for making transatlantic transfers.”
With the European Commission’s adequacy decision of 10 July 2023, it took almost three full years of legal uncertainty and diplomatic discussions to replace the then invalidated data transfer mechanism. After the “Safe Harbour Principles” and the “EU-U.S. Privacy Shield”, we now have the “EU-U.S. Data Privacy Framework”, which entered into effect immediately.
While it is in many ways a “Safe Harbour III” – mainly due to the ways in which organizations can adhere to it, how it is administered and the ways in which its compliance is monitored – the legal framework in the U.S. did change to accommodate the requests from the EU and the concerns expressed in the CJEU’s Schrems I and II judgments (reflected in the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities of 7 October 2022 and regulations adopted by the U.S. Attorney General).
So, while Schrems already confirmed that, once again, he will challenge this new compliance framework, it does, for now, provide a solid legal basis to rely on for the cross-Atlantic data transfers at issue. This is a more than welcome breath of fresh air for the digital economy.
I. The Background
Under the General Data Protection Regulation (GDPR), personal data may be transferred from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a non-EEA country if that country provides an adequate level of protection for the personal data – compared to that of the EU.
The assessment of the country’s level of protection is done by the European Commission (EC) and made concrete in a formal ‘adequacy decision’. The first time that the U.S. was awarded such adequacy (still under the GDPR’s predecessor, the EU Data Protection Directive) was by the EC decision of 26 July 2000, which created the aforementioned Safe Harbour framework.
In 2013, Austrian citizen Maximillian Schrems objected to his data being sent by Facebook Ireland to servers in the U.S., arguing that, in light of the 2013 revelations made by whistleblower Edward Snowden, personal data did not receive adequate protection in the U.S., despite Facebook’s formal adherence to the Safe Harbour Principles.
In its Schrems I judgment, the CJEU invalidated the Safe Harbour mechanism and left organizations desiring to comply with European data protection law with one option less to do so.
On 12 July 2016, the EC replaced the invalidated framework with a new one, the “EU-U.S. Privacy Shield”.
A follow-up complaint from Schrems targeting the validity of the SCCs resulted in an invalidation of the Privacy Shield framework (but not expressly of the SCCs), leaving organizations with one less option to comply with European data protection law for the second time.
On 10 July 2023, the EC has now replaced the invalidated framework with yet a new one, the “EU-U.S. Data Privacy Framework”.
II. The New Framework
One of the consequences of the Schrems II judgment was that organizations need to carry out a data transfer impact assessment when using appropriate safeguards such as the SCCs. Such assessment is far from a walk in the park, as the impact of the entire legal framework on the specific data transfers at hand needs to be assessed in detail.
While carrying out such assessment was already made easier thanks to the aforementioned changes in the U.S. legal framework (which benefit all data transfers under the GDPR, including those covered by SCCs), having access to a new framework for which such assessment is not required (as it already has been carried out by the EC for all transfers under the framework), provides a welcome additional mechanism for trans-Atlantic data transfers, particularly in situations where SCCs are not feasible.
Indeed, international data transfers to the U.S. are not only a reality for global businesses, but also for every local EU-based business using digital tools with any type of link to the U.S., from physical servers to the legal corporate structure– and, definitely, there are many.
Given that the new adequacy decision took effect immediately upon its adoption on 10 July 2023, we recommend carrying out a data mapping exercise (or, of course, leveraging an up-to-date existing one) to identify all data transfers from the EEA to the U.S. and to determine which transfers could rely on the new mechanism.
If your organization wants to rely on the new framework, which will be enforced by the U.S. Federal Trade Commission, your application should be submitted to the U.S. Department of Commerce (DOC), which will issue the corresponding certification. The DOC has announced that it will launch a new website for such purpose, with details about the application process, in the coming days. Because much of the new framework requires that organizations have certain processes and mechanisms in place to assure adequate data protection, organizations seeking to take advantage of this new mechanism will need to be sure they have adequate data transfer compliance protocols that are regularly monitored and enforced.
Because it is an opt-in framework, the new framework will indeed not be a solution for all EU data transfers to the U.S. However, many organizations are expected to embrace this new opportunity, which will make data transfers to these entities a much less bumpy ride.
For further information, please contact:
Maarten Stassen, Partner, Crowell & Moring
mstassen@crowell.com