Update Data Protection No. 126
New EU-/U.S. Data Protection Agreement on the home straight
Since the ECJ’s Schrems II decision (we reported several times, most recently on October 10, 2022), there is no easy solution for data transfers from the European Union to the U.S. However, on October 7, 2022, U.S. President Joe Biden issued a new Executive Order with which the U.S. intends to address the ECJ's concerns regarding the processing of personal data of European citizens in the United States. From the point of view of many data protection experts, this Executive Order represents a significant step forward compared to the old Privacy Shield. In particular, it explicitly addresses the issues criticized by the ECJ regarding the proportionality of the processing of personal data in the context of intelligence activities as well as the legal protection options for European citizens.
Even though many data protection activists do not consider the Executive Order sufficient enough, the European Commission on 13 December 2022 published a draft of a so-called Adequacy Decision. An Adequacy Decision under Art. 45 GDPR allows European controllers to transfer data to the relevant importing country without agreeing to standard contractual clauses or other transfer mechanisms, thus significantly simplifying data transfers. With respect to the U.S., this is particularly important as many technical services are provided by U.S. based companies that use these services in their daily operations.
The draft of the Adequacy Decision still has to go through official bodies, for which a period of around four to six months is generally expected. Until then, companies cannot rely on the decision under Art. 45 GDPR for data transfers to the U.S.
However, in the meantime, they can continue to use standard contractual clauses for data transfers under Article 46 GDPR. Although it should be noted that in each case a so-called Transfer Impact Assessment, which is an evaluation of the risks from the transfer for the data subjects, must take place, the Executive Order alone facilitates this Transfer Impact Assessment. The draft of the Adequacy Decision can also be taken into account in the respective Transfer Impact Assessment, so that companies also have design possibilities until the Adequacy Decision comes into force.
In the future, companies will have to keep in mind that even under the validity of a new Adequacy Decision for the Executive Order, the controllers must always check whether the data will remain in the U.S. or whether onward transfers will be made from the U.S. to other third countries. If this is the case, it must be checked for each of these third countries what the data protection situation is there and corresponding standard contractual clauses must be agreed if there are also no Adequacy Decisions for these other third countries. To date, Adequacy Decisions are only available for the following countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, South Korea, Uruguay and the United Kingdom.
In conclusion it can be said that data transfer to the U.S. will probably become somewhat easier again in the coming months than it is currently. However, it may well be that this is only a temporary state. Data protection activists have already announced legal actions against the Adequacy Decision. Experience shows that these take two to three years to reach the ECJ. During this time, however, companies can rely on the Adequacy Decision in any case. Didier Reynders, the EU Justice Commissioner responsible, hopes that the new agreement has a 70 – 80 % chance of surviving ECJ proceedings as well. It remains to be seen whether he is right.
In the meantime, however, there is another ToDo:
Contracts based on the old standard contractual clauses, which were issued by the European Commission in 2001 or 2010, can only be used until December 27, 2022.
From December 27, 2022, the new standard contractual clauses must be urgently agreed for all such international data transfers, regardless of the destination country. If companies fail to meet this deadline, the privileging effect of Article 46 of the GDPR will no longer apply and the transfer would be unlawful. Therefore, it is important to review and update these contracts now at the latest.