open search
close
Datenschutz Neueste Beiträge

New year, new mechanism for US-EU data transfers?

Print Friendly, PDF & Email
Data Transfer
Last October, President Joe Biden’s administration published an executive order regarding a new EU-U.S. Data Privacy Framework – the replacement of the so-called Privacy Shield mechanism that previously allowed transfers of personal data from the EU to the United States.

The executive order immediately sparked the European Commission’s process to assess the new U.S. regime and prepare a respective adequacy decision, which would bring considerable certainty and clarity to trans-Atlantic data flows. In essence, it was a beacon of hope for European organisations having struggled with U.S. data transfers, for example in connection with various established cloud services, ever since the prior Privacy Shield mechanism was invalidated by the Schrems II judgement in July 2020. 

A new privacy framework

Whenever personal data exits the region of the European Economic Area (EEA), the General Data Protection Regulation (GDPR) requires an underlying transfer mechanism allowing such international transfer of personal data. International transfers of personal data include actually transferring data for storage outside the EEA but also cases where EEA-stored data is merely accessed from non-EEA countries. Such access is a common feature in many established cloud services with a corporate connection, for example, to the U.S. or India. 

Transfers specifically to the U.S. previously relied on the Privacy Shield framework, in which transfers to U.S. companies locally certified in the Privacy Shield system were justified by virtue of an adequacy decision by the European Commission. However, the Privacy Shield’s adequacy status was invalidated on 16 July 2020 pursuant to the so-called Schrems II decision of the Court of Justice of the European Union (ECJ). This left European companies having to resort to alternative transfer mechanisms, namely standard contractual clauses, to legitimise transfers to the U.S. This alternative involves further hurdles, such as obligations to carry out transfer impact assessments (TIA) and supplementary safeguards. 

It therefore goes without saying that the new executive order and consequent adequacy process have been warmly welcomed by relevant stakeholders. For a long time, details on the preparation of the new framework were rather limited, with the most concrete update being that, in March 2022, the EU and U.S. announced that an ‘agreement in principle’ for a new data transfer arrangement had been reached. 

The situation as it stands

The new framework, introduced by the October executive order, aims to address the various shortcomings of the Privacy Shield identified by the ECJ in Schrems II. In particular, it sets out new binding requirements of proportionality and necessity for the actions of U.S. surveillance authorities contemplating access to EU data. It also includes a multi-layer redress mechanism for individuals affected by such access. Moreover, the U.S. Department of Commerce has prepared a set of renewed commercial data protection principles, also known as the EU-U.S. Data Privacy Framework Principles, to which U.S. organisations will certify similarly to the setup under Privacy Shield. 

On the EU side, the European Commission is currently preparing an adequacy decision on the basis of the renewed U.S. regime. In fact, the Commission only recently, on 13 December 2022, adopted its draft of the adequacy decision, signaling that the process is indeed proceeding swiftly. The draft decision is currently being reviewed by the European Data Protection Board, after which the EU member states and the European Parliament will weigh in on the matter before the Commission is able to adopt a final adequacy decision, which is expected to happen this spring. 

The contents of the draft adequacy decision have already attracted attention, with the most obvious takeaway, naturally, being that the European Commission has now concluded that the U.S. ensures an adequate level of protection for personal data transferred to U.S. companies under the new regime. However, the adequacy determination would already be subjected to a first review within one year to ensure that all relevant elements of the new regime have been duly implemented and are functioning effectively in practice. Following that, there would be a regular reassessment at least every four years. 

What to do while waiting for adequacy?

For all its ambition, it already seems evident that the new framework will eventually be challenged in the EU courts. Therefore, the new adequacy solution is likely to merely buy time for a couple of years until ‘Schrems III’ comes along. Consequently, alternative transfer measures, such as the recently updated standard contractual clauses for international data transfers, remain a key compliance tool to keep in place as a secondary mechanism in case the new U.S. adequacy arrangement is again invalidated, or where it does not apply to a specific transfer. In particular, standard contractual clauses are still the predominant transfer mechanism as regards all non-EEA countries for which an adequacy decision is not available (for example India and China). 

Although focus is mainly on the upcoming adequacy decision, it is important to note that the new binding requirements of the executive order will already afford increased protections for all U.S. data transfers even before an official adequacy status. This is because the executive order is now being adopted by relevant U.S. intelligence agencies, thereby mitigating many of the risks to the protection of EU data that were identified in the Schrems II decision. Consequently, it will also be easier to rely on, for example, standard contractual clauses and related transfer impact assessments to justify U.S. transfers, since the local regime has been bolstered in terms of data protection safeguards. It can also be argued that the supervisory authorities will be less eager to investigate U.S. transfer activities in the highly evolving landscape. 

Ius Laboris




Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
ESG Internationales Arbeitsrecht Neueste Beiträge

Update CSDDD: Die europäische Lieferkettenrichtlinie kommt

Die EU-Mitgliedstaaten haben am 15.03.2024 der Corporate Sustainability Due Diligence Directive (CSDDD) zugestimmt, die Unternehmen verpflichtet, ihre Lieferketten auf nachhaltige Umwelt- und Arbeitspraktiken zu überprüfen. Nachdem die Abstimmung zuletzt mehrfach verschoben wurde, kam doch noch eine Einigung auf den Kompromissvorschlag der belgischen Ratspräsidentschaft zustande, welcher einen reduzierten Anwendungsbereich und eine gestaffelte Umsetzung vorsieht. Um die Richtlinie in nationales Recht umzusetzen, wird Deutschland vermutlich Anpassungen beim…
Compliance ESG Internationales Arbeitsrecht Neueste Beiträge

EU-Verordnung für entwaldungsfreie Produkte bringt „versteckte“ arbeitsrechtliche Sorgfaltspflichten

Am 30. Juni 2023 trat die EU-Verordnung zu entwaldungsfreien Lieferketten, die EU Deforestation Regulation (im Folgenden „EUDR“) in Kraft. Anders als der Name vielleicht vermuten lässt, ergeben sich aus dieser Regelung nicht nur umweltbezogene, sondern auch arbeitsrechtliche Sorgfaltspflichten in der Lieferkette. Insbesondere dann, wenn Sie in den Branchen Herstellung und Handel mit (bestimmten) Lebensmitteln oder Holz- und Papierprodukten, als Automobilzulieferer oder Hersteller technischer Bauteile aktiv…
Internationales Arbeitsrecht Neueste Beiträge

EU takes important step on supply chain due diligence

The European Commission and European Parliament recently reached agreement on the details of a new Corporate Sustainability Due Diligence Directive. The Directive will require large organisations to implement due diligence processes with regard to human rights and environmental impact in their supply chains. A number of European countries have legislation in place or under consideration requiring companies to perform supply chain due diligence. These rules…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

 

Die Abmeldung ist jederzeit möglich.