After the Privacy Shield was repealed in July 2020 as a result of the Schrems II ruling, data transfers to the US have become much more difficult and, above all, uncertain. The legal basis for the export was in most cases standard contractual clauses (the “clauses”), but in the wake of the above-quoted judgment, even this was not enough on its own. In addition, controllers (or processors) of personal data that transferred any personal data to the US had to investigate whether the clauses, taking into account the US legislation (in particular the powers of the intelligence agencies), were sufficient to ensure the same or a comparable level of data protection as is provided in the EU, or whether additional safeguards were needed. Such assessments are laborious and uncertain, and in practice, this approach has probably meant that few transfers to the U.S. have actually been GDPR compliant.
The European Commission’s (EC) adequacy decision (the “decision”), which allows the transfer of personal data from the EU to those companies participating in the EU-US Data Privacy Framework (DPF), is therefore very welcome. It has been adopted and is effective as of 10 July 2023. Unlike traditional adequacy decisions, which apply to a country as a whole, the DPF operates on a similar principle to the Privacy Shield previously in force, i.e. on the principle of certification of individual companies. The adequacy decision is valid and constitutes the appropriate legal basis only for transfers to companies so certified. A list of these is available on the website of the US Department of Commerce.
Despite its similarities to the Privacy Shield, the DPF introduces certain additional safeguards to ensure that the level of protection of personal data is comparable to that in the EU:
- US companies will be able to be certified under the DPF if they commit to comply with a detailed set of privacy obligations, such as the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection when personal data is transferred to third parties. They will also be required to publish their privacy policy and a link to the US Department of Commerce website where further information on certification and individuals’ rights can be found.
- Individuals will also have additional protections through additional legal remedies through free independent dispute resolution mechanisms, arbitration, and the newly established Data Protection Review Court (DPRC) in the US in relation to the processing of personal data by US intelligence agencies.
- One year after entry into force, the EC and the competent US authorities will review the functioning of the new framework and assess both its adequacy as well as the adequacy of the implementation of all the measures foreseen therein. They will then continue to review it periodically, at least once every 4 years.
Controllers and processors wishing to transfer personal data to the U.S. will therefore need to check whether the company (ie. data importer) is validly certified under the DPF and only enter into an appropriate contract with them for (for example) the processing of personal data. However, the legality of the transfer will not require the conclusion of standard contractual clauses. Of course, the decision does not affect the validity of the standard contractual clauses already concluded and they may (or in some cases must) continue to be used as the basis for the transfer of personal data.
The change discussed in this article is certainly welcome not only for companies that have direct contacts with U.S. companies or have subsidiaries or group companies in the U.S. Most companies in Slovenia (and the EU) use some kind of service from the U.S., such as software-as-a-service (SaaS), servers, digital services or outsourced data processing (e.g. Google Analytics). In all these cases, companies will now be able to rely on the new adequacy decision (provided, of course, that they do business with certified companies).