On 10 July 2023, the European Commission adopted its adequacy decision for the United States.
The decision has been received positively by many, including the Norwegian Data Protection Authority for making it easy for businesses to transfer personal data at the same time as ensuring that measures are in place to protect individuals' rights. However, not everyone is on the same page and "Schrems III" might already be on its way.
Background
The previous adequacy decisions (Safe Harbour Framework and EU-U.S. Privacy Shield) for the United States have both been invalidated by the Court of Justice of the European Union ("CJEU") in the well-known Schrems I and Schrems II decisions respectively.
Businesses on both sides of the Atlantic have since been using extensive resources to assess cross-border transfers and to put in place appropriate measures to enable transfers while ensuring compliance with the transfer rules under the GDPR.
The European Commission and the United States have, in the meantime, been in negotiations for a new framework with the prerequisite that the US amends its intelligence legislation to strengthen privacy and provide better rights for individuals.
The adequacy decision
The new decision establishes that the United States ensures an adequate level of protection for personal data transferred from the EU/EEA to the US companies which join the EU-US Data Privacy Framework.
In order to join the framework, US companies will be required to commit to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. The list of US companies participating in the framework will be available at https://www.dataprivacyframework.gov/s/participant-search.
On the basis of the new adequacy decision, personal data can flow safely and freely from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards. It is important to note, however, that European entities transferring personal data to the US companies in the framework must still comply with the other requirements under the GDPR, including but not limited to having a valid legal basis for processing (and transfer) of personal data.
Schrems III
NOYB - European Centre for Digital Rights, which is founded by Maximilian Schrems, who is the complainant in the Schrems decisions, announced that they already have prepared various procedural options to bring the new framework back before the CJEU.
NOYB claims that there is little change in the US laws and in fact, the new framework is largely a copy of the Privacy Shield. For this reason, they are preparing to challenge the new rules before the EU court as soon as the framework is being implemented by the first companies within the next months.
Their prediction is that it is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024. The CJEU would then have the option to suspend the new rules for the time of the procedure. A final decision by the CJEU is expected to arrive by 2024 or 2025.
Next steps
In the next few months, we can expect to see a number of US companies joining the framework. As the rules are effective immediately, EU companies can start freely transferring personal data to these companies as soon as the companies' participation in the framework is approved.
However, we might also be looking at a new legal challenge which might temporarily or permanently bring an end to the new EU-U.S. Data Privacy Framework in the not so far future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.