Call now!:

+49 711 410 190 30

  • wpml-ls-flag
  • wpml-ls-flag

EU-US Data Privacy Framework in force

von

Clemens Pfitzer

After Safe Harbor and Privacy Shield were overturned by the European Court of Justice years ago as the legal basis for the transfer of personal data to the USA, there is now a new approach to transatlantic data transfers: the EU-US Data Privacy Framework.

EU-US Data Privacy Framework Data Protection Attorney
© NicoElNino – stock.adobe.com

Almost every company is affected by transatlantic data transfers to the USA, as most of the major tech providers (such as Apple, Microsoft, Amazon, Google and Facebook) are based in the USA. Ever since the European Court of Justice first removed Safe Harbor and the subsequent Privacy Shield agreement as the basis for transatlantic data transfers of personal data, there has been a high level of legal uncertainty for many companies. At the same time, many companies were and are dependent on the transfer of personal data to the USA – often due to a lack of viable alternatives.

EU-US Data Privacy Framework

With the EU-US Data Privacy Framework (EU-U.S. DPF), the EU and the USA are now making their third attempt at an agreement on the transfer of personal data between the EU and the USA. On July 10, 2023, the European Commission published its adequacy decision for the EU-US Data Privacy Framework. This will now apply from 10.07.2023.

The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to U.S. companies participating in the EU-U.S. DPF compared to the EU.

This means that there is once again a legal basis for companies to transfer data to the USA under these conditions.

What is different about the EU-US Data Privacy Framework?

A key element of the EU-U.S. DPF is the Executive Order “Enhancing Safeguards for United States Signals Intelligence Activities” signed by President Biden on October 7, 2022, which is accompanied by regulations issued by the U.S. Department of Justice. This is intended to address the concerns raised by the European Court of Justice in its rulings on Safe Harbor and Privacy Shield, also known as Schrems I and Schrems II.

For EU citizens whose personal data is transferred to the USA, this Executive Order provides for the following:

  • Binding guarantees that limit access to data by US intelligence agencies to what is necessary and proportionate to protect national security;
  • Increased oversight of U.S. intelligence activities to ensure compliance with restrictions on surveillance activities;
  • and the establishment of an independent and impartial redress mechanism, including a new Data Protection Review Tribunal, to investigate and adjudicate complaints about the US National Security Authorities’ access to their data.

In future, EU citizens will therefore be better protected from the collecting frenzy of American intelligence services and will also have the possibility of legal remedies.

Criticism

Max Schrems, who gave his name to the two CJEU decisions against the previous agreements, and noyb, for whom he works, are already warming up for a third case before the CJEU . It is merely a copy of the Privacy Shield with purely cosmetic but not substantial changes.

The main points of criticism are:

  • The understanding of proportionality in the USA is completely different, as mass surveillance by US intelligence services is considered proportionate there.
  • There is still no real legal remedy, as it is still not possible for EU citizens to go to real courts in the USA due to surveillance measures by the US intelligence services. The “court” that has now been set up is once again not a real court but is subordinate to the executive branch in the USA.
  • It is also only an executive order on the part of the USA, not a formal law. The next president could therefore reverse this.

Conclusion

Despite all the (justified) criticism of the EU Commission’s adequacy decision on the EU-US Data Privacy Framework, this is currently a legal basis for companies to transfer data to the USA. You just have to be aware that this legal basis may be removed again in a Schrems III decision by the CJEU. Until then, however, it applies.

Our services

External data protection officer

Through our cooperation partner, Obsecom GmbH, we offer external data protection officers for data controllers and processors.

Mehr erfahren

Advice on data protection law

We advise you on all questions of data protection law, e.g. on data protection concepts, data protection declarations, contract design and dealing with data protection authorities.

Mehr erfahren

Advice on trademark law

We advise you on all questions of trademark law, from trademark strategy to registration, licensing and enforcement of trademark claims.

Mehr erfahren

Advice on online trading platforms

We advise companies on all legal issues relating to trading on online trading platforms such as Amazon, eBay, Zalando, Otto, Kaufland, Etsy and others.

Mehr erfahren

Effective defense in competition law

We support you in defending against competition law claims and cease and desist letters in the best possible way.

Mehr erfahren

Successfully combating competition law infringements

We take action on your behalf against infringements of competition law in order to quickly and effectively put an end to unfair behavior by your competitors.

Mehr erfahren

All services

Relevant posts

Generative AI models Opportunities and risks according to the BSI

Misuse of personal data justifies damages

Are only attorneys allowed to complain about negative reviews?

Does SCHUFA-Score violate the GDPR?

Masterclass for coaches in the Distance Learning Protection Act

Price with or without deposit

Do you have any questions?

We are happy to help you.

Contact