Yesterday, after 2 years of uncertainty, the European Commission decided that the United States provides sufficient guarantees for secure personal data transfers. This means that transferring data to the US has now become much easier. Where did this decision come from?
In July 2020, the Court of Justice of the European Union issued a groundbreaking ruling: Schrems II. The Court determined that the transfer of data from the EU to the US was not sufficiently secure under the existing arrangement between the two parties. The Privacy Shield, which was in effect at that time, did not provide adequate guarantees for data protection. It should be noted that this was not the first time the Court had reached such a decision; in 2015, in the Schrems I ruling, the Court had already determined that the Safe Harbor scheme was not good enough.
Since the Schrems II ruling, there was no privacy arrangement in place between the US and the EU. This meant that data flows between the two became very challenging. However, on July 10, 2023, this changed: the European Commission issued an Adequacy Decision. An Adequacy Decision means that the Commission considers a country or territory to have sufficient safeguards for exchanging data. The US now joins a relatively small group of countries and territories for which such an adequacy decision has been made; other adequacy decisions have only been issued for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the United Kingdom, Uruguay, South Korea, and Switzerland.
Why is the US now considered safe?
In Schrems II, the Court concluded that European personal data could not be sufficiently protected in the US. The American security agencies, such as the CIA, NSA, and FBI, essentially had no restrictions or safeguards. Data was requested by the government in a very broad and indiscriminate manner (in bulk), and European citizens had no recourse to American courts to complain about this data processing. The Court also found it problematic that EU judges couldn’t turn to an American court. Under the Privacy Shield, there was an ombudsman mechanism, but the Court deemed it insufficient, as the ombudsman lacked the power to intervene in security agency matters and was directly subordinate to the Secretary of State. You can read more about this ruling in this blog post.
According to the European Commission, these concerns have now been addressed, which is why an Adequacy Decision has been issued. The EU and the US have established the EU-U.S. Data Privacy Framework. Companies can join this Framework and must adhere to the privacy safeguards. For instance, companies must delete personal data when it is no longer needed for the purpose it was collected, and they must ensure continuity of protection when sharing personal data with third parties.
The Framework also imposes limitations on what government agencies like the NSA can access. Access to European data is now restricted to what is necessary and proportionate to protect US national security.
To address the issue of access to justice, the Data Protection Review Court will be established. This court will independently investigate and resolve complaints and can impose binding corrective measures.
Will there be a Schrems III?
Does this mean that data flows between the EU and the US are permanently allowed? In the long run, it is doubtful. Max Schrems, the plaintiff in the aforementioned landmark cases, has already announced that he will closely scrutinize the Data Privacy Framework. So, a Schrems III is not out of the question. Ultimately, American security agencies have (very) broad powers that limit privacy. Whether the Framework adequately restrains these powers remains to be seen. It is likely that the Court will have to render a judgment on this matter soon.
About the author: Wesley C Waldo
Wesley C Waldo, a promising writer who is preparing to publish his first novel in 2023. Travels a lot and collects the clues for a new book. He writes on social topics, sometimes describes an event or two.