Many data exporters are struggling to transfer data to the United States in a GDPR-compliant manner after the European Court of Justice annulled the adequacy decision for the United States in July 2020 with its Schrems II ruling. Data transfer to the US is a sensitive issue, as personal data may be transferred to or accessed from the US in connection with many technology services that are widely used also in the EU. Accordingly, the United States is not only one third country under the GDPR to which data transfers can only take place in accordance with the conditions set out in the GDPR, but it has paramount importance, taking into account the extent of economic relations and the widespread use of technological solutions associated with data transfer (e.g. cloud services).
With respect to the above, the adoption of a new adequacy decision has been highly awaited on the basis of the March 2022 EU-US Data Transfer Framework Agreement, which could significantly make data transfers to the US easier.
Three years after the Schrems II judgment, this moment has come: the European Commission has published the new adequacy decisions regarding the US!
(Please see the press release here. The adequacy decision is available here, together with its annexes.)
1. What is an adequacy decision?
An adequacy decision is one of the possible but in any case, the easiest means of transferring data to the third country concerned by the adequacy decision. In the adequacy decision, the Commission acknowledges that the third country (or a territory or one or more specified sectors within that third country, or the international organisation in question) ensures an adequate level of data protection. Data transfer to such third countries shall not require any specific authorisation or other mechanisms (e.g. standard contractual clauses, binding corporate rules, etc.). Thus, the adequacy decision relieves a significant burden from the shoulders of data controllers and data processors planning data transfers. (Of course, this does not mean that data exporters should not take care of other requirements for data processing and data transfer, but an essential prerequisite is met in connection with data transfers.)
Currently, there are adequacy decisions in place for the following third countries:
- Andorra
- Argentina
- Faroe Islands
- Guernsey
- Israel
- Japan
- Jersey
- Canada (not all data controllers are covered, you can find more information here)
- Isle of Man
- Republic of Korea
- Switzerland
- United Kingdom
- United States of America
- Uruguay
- New Zealand
(Further information and the relevant decisions of the Commission are available here.)
2. What does the adoption of an adequacy decision for the USA mean for data exporters?
The adoption of the adequacy decision makes the life much easier for data exporters as they can consider that an adequate level of protection is ensured in the US, so they "only" have to provide for other conditions for data processing and data transfer, essentially as if data processing were taking place within the EU. (From the decisions of the authorities in recent years, e.g. Google Analytics cases, it could have been seen how much difficulty and serious fines can result from improper data transfers.)
Data exporters may transfer personal data to the US without using any other transfer mechanism in view of the adequacy decision. It is important to note that data transfers in this way can only be made to organisations that are on the Data Privacy Framework List, which is publicly available. (Previously, under Safe Harbour and then under Privacy Shield, a similar mechanism was used.) This authoritative list contains US organizations that have self-certified to the Department of Commerce and declared their commitment to adhere to the Principles (“the
Data Privacy Framework List”). Once an organisation has been added to the list, data can then be transferred to it on the basis of the adequacy decision. It is therefore necessary to check the list in advance in connection with data transfers. (In the event of a transfer to an organisation not on the list, other data transfer mechanisms provided for in the GDPR, e.g. standard contractual clauses, can be applied.)
Of course, if an entity included in the Data Privacy Framework List no longer meets the requirements, it may be removed from the list and may no longer receive data on the basis of the adequacy decision.
3. How long can data exporters rely on an adequacy decision? Will Schrems III come?
We do not know that. The adequacy decision has been criticised (already as a draft), so it can be expected that sooner or later it will also be tested before the European Court of Justice (please see NOYB´s first comments on the adequacy decision, including Max Schrems´ statements thaty they will challange the decision in front of the ECJ). However, until a court ruling has been made that would affect the validity of the adequacy decision, data transfers can rely on this mechanism.
EU-US data transfer chronology
- 26 July 2000: adoption of the first adequacy decision for the USA (Safe Harbour) (Decision 2000/520/EC)
- 6 October 2015: Judgment annulling the first adequacy decision (Safe Harbour) for the USA (C-362/14, Schrems I)
- 27 April 2016: GDPR adoption
- 24 May 2016: Entry into force of GDPR (20th day after publication in the Official Journal of the EU)
- 12 July 2016: Adoption of the second adequacy decision (Privacy Shield) for the USA (Commission Implementing Decision 2016/1250)
- 25 May 2018: GDPR becomes applicable
- 16 July 2020: Judgment annulling the second adequacy decision (Privacy Shield) for the USA (C-311/18, Schrems II)
- 25 March 2022: The Trans-Atlantic Data Privacy Framework is announced
- October 7, 2022: The President of the United States signs the Executive Order under the Framework Agreement (EO 14086)
- 13 December 2022: The European Commission publishes its draft (third) adequacy decision for the USA
- 28 February 2023: The EDPB adopts and publishes its opinion on the European Commission's draft (third) adequacy decision for the US
- 11 May 2023: The European Parliament expresses critical opinion on the draft adequacy decision
- 4 July 2023: The US Secretary of Commerce issues a statement stating that the US has fully complied with the EU-US Data Transfer Framework Agreement (The Office of the Director of National Intelligence (ODNI) published the Intelligence Community Procedures implementing new safeguards in Executive Order 14086.)
- 6 July 2023: The "Committee on the protection of individuals with regard to the processing of personal data and on the free movement of such data" issued a positive opinion on the Commission's draft adequacy decision
- 10 July 2023: The European Commission adopts and publishes its third adequacy decision for the US
Further resources regarding the adequacy decision and it impacts:
- Odia Kagan´s summary published on LinkedIn: "#cryandpray Pause: The US Adequacy Decision Deep Dive You Didn’t Know you Needed: Part 1 of 3" (July 11)
- A summary from Hogan Lovells: "EU-U.S. Data Privacy Framework: European Commission takes third bite at the adequacy cherry" (July 10, authors: Eduardo Ustaran, Henrik Hanssen, Julie Schwartz, Bret Cohen, and Julian Flamant)
- Rie Aleksandra Walle´s collection of useful resources: Key resources for the EU-U.S. Data Privacy Framework! (July 10)
