Background: Reaction to Schrems II ruling
The EU Commission has taken a landmark decision on the EU-US Data Privacy Framework, which will once again allow data transfers to the US with legal certainty. This move comes after three years of uncertainty following the Schrems II ruling by the European Court of Justice (ECJ). In the ruling, the previous Privacy Shield Framework was declared invalid because it did not meet minimum standards under the rule of law, and mass surveillance by U.S. intelligence agencies constituted a violation of fundamental rights.
EU Commission decision: free flow of data to self-certified companies.
A two-tiered redress mechanism was introduced in the new EU-US Data Privacy Framework, allowing citizens to sue against legal violations of surveillance by US intelligence agencies. A quasi-judicial “Data Protection Review Court” decides on these complaints. As a result, the level of data protection in the U.S. is now considered equivalent to that in the EU, provided that U.S. companies have self-certified under the EU-US Data Privacy Framework.
EU Commission decision: free flow of data to self-certified companies
As a result of this improvement in U.S. intelligence law, the Commission now considers the U.S. level of data protection to be equivalent to that of the EU, provided that U.S. companies have self-certified under the EU-US Data Privacy Framework. Therefore, it has issued an adequacy decision (Art. 45 GDPR), according to which personal data can be transferred to self-certified US companies without further ado.
Self-certification of the US company required
The EU-US Data Privacy Framework contains certain principles for this self-certification of US companies, which are based on European data protection law. These are necessary because the US does not have a generally applicable comprehensive data protection law.
Self-certification is done by registering the U.S. company on a U.S. Department of Commerce website for a registration fee. As of now, the approximately 2600 Privacy Shield-certified U.S. companies are also considered Data Privacy Framework self-certified. These include all major U.S. cloud providers, SaaS providers and IT service providers.
A Schrems III decision looms on the horizon
It remains to be seen how the situation will develop. The issue of EU-US data protection remains a challenge in data protection law, but the current decision by the EU Commission is an important step towards legal certainty following the Schrems II ruling.
You can access our detailed client information on this topic under this link.