ARTICLE
24 January 2025

A Relief For Companies: The New "EU US Data Privacy Framework" Is In Force!

SA
Schoenherr Attorneys at Law

Contributor

We are a full-service law firm with a footprint in Central and Eastern Europe providing local and international companies stellar advice. As the go-to legal advisor for complex commercial matters in the region, Schoenherr aims to use its proximity to industry leaders, in developing practical solutions for future challenges. We keep a close eye on trends and developments, which enables us to provide high quality legal advice that is straight to the point.
The CJEU's annulment of the "Privacy Shield" created significant legal uncertainty around the use of US clouds and personal data transfers to the US.
Austria Privacy

The CJEU's annulment of the "Privacy Shield" created significant legal uncertainty around the use of US clouds and personal data transfers to the US. Fortunately, summer 2023 brings good news: this legal uncertainty has gone. On 10 July 2023, the European Commission has adopted an adequacy decision on the "EU US Data Privacy Framework" (DPF).

The DPF allows transfers of personal data to the US under essentially the same mechanisms as under its predecessor, the "Privacy Shield". Thus, if a US company gets certified under the "EU US Data Privacy Framework", it creates a data protection level that is adequate to the European data protection laws. It follows that personal data can be transferred from Europe to that company without a need for additional safeguards under Art 46 GDPR. A search registry of the US companies certified under the DPF can be found under: https://www.dataprivacyframework.gov/s/participant-search.

What does this mean for European companies?

  1. If a European company transfers personal data to a US company that is certified under the DPF, it should adapt its GDPR documentation (i.e. data processing records, TIA) accordingly.
  2. Standard Contractual Clauses that the European company might have concluded with that US company remain valid. A potential certification under the DPF of the US company will not terminate the Standard Contractual Clauses. Also, it is not harmful if the Standard Contractual Clauses and the DPF certification remain simultaneously in place.

Looking forward

It hardly comes as a surprise that the DPF came under fire almost immediately from several stakeholders. The DPF probably will be challenged in the same way as the "Safe Harbour" and the "Privacy Shield". Nevertheless, companies should not be discouraged by these announcements but rather take advantage of the newly generated legal stability. It is still recommended to keep in place Standard Contractual Clauses, since the DPF is likely to be challenged . If so, this might reinstall the former status of legal instability. In that case, Standard Contractual Clauses would be a good backup, since even if the CJEU declares the DPF unlawful it seems unlikely that the court will dismiss Standard Contractual Clauses concluded with US companies.

The adequacy decision can be found here:

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Information from the Data Protection Authority can be found here:

https://www.dsb.gv.at/download-links/bekanntmachungen.html#Angemessenheitsbeschluss

Originally published 28 July 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More