• Insights

Uncertainty remains on EU-US data transfers

European Union
Written by
Claeys & Engels offers reassurance in the full range of human resources matters and fast, efficient and pragmatic legal advice.
A new framework has been adopted for data transfers between the European Union and the United States. But is it legally sound?

On 20 September 2023, the European Commission’s new Adequacy Decision for companies in the United States of America certified under the Data Privacy Framework (DPF) was published in the EU’s Official Journal. This decision, taken on 10 July, allows data sharing with American organisations with much less worry. For now, anyway.

Should you stop using American tools?

Organisations asking this question have been in a quandary in recent years. Since July 2020, data transfers to the US had become all but impossible as a result of the Court of Justice of the European Union’s Schrems-II ruling. The Court’s decision invalidated the then EU-US Privacy Shield and imposed far-reaching obligations on companies wishing to use American tools, due to the inadequate level of personal data protection in the US.

Many American companies were certified under the Privacy Shield, which made it very easy to engage in data exchange. Under European law, data exchange outside the European Economic Area (i.e. the EU, Iceland, Norway and Liechtenstein) requires a transfer mechanism. An adequacy decision is a mechanism by which the European Commission indicates that a particular country provides adequate safeguards for the protection of personal data. For the US, this was conditional on American companies being certified under the Privacy Shield.

Because the Privacy Shield was declared invalid, companies had to look for other transfer mechanisms to transfer personal data to the US. Most companies found those in the reworked Standard Contractual Clauses (SCCs) approved by the European Commission. However, according to the CJEU, these SCCs alone were not sufficient: companies had to examine whether supplementary measures were appropriate as a function of an in-depth analysis known as a Data Transfer Impact Assessment (DTIA). These included measures such as encryption, anonymisation and pseudonymisation. Only once sufficient measures had been taken was a company allowed to use American tools such as Google Analytics or Mailchimp. In practice, these measures were often inefficient or far too expensive, and this led to European alternatives being adopted more quickly.

A return to carefree data sharing?

A good two years after the Schrems-II ruling, US President Joe Biden and European Commission President Ursula von der Leyen suddenly reached an agreement. On the US side, this agreement has been implemented as a presidential Executive Order. As a result, a successor to the Privacy Shield called the Data Privacy Framework (DPF) is now in place. American companies can certify under the DPF and thus fall within the scope of the adequacy decision. The transition was extremely straightforward for companies that had already been certified under the Privacy Shield.

The main consequence of this adequacy decision is that it is now much easier to use American tools again. For organisations certified under the DPF, it is no longer necessary to use SCCs and take additional measures. It is also now much simpler to deal with companies that are not certified under the DPF: SCCs or another transfer mechanism will still need to be used, but far-reaching additional measures are not required in many cases. The European Commission clarified in a Q&A that the measures taken by the US cover all transfers to the US, regardless of the transfer mechanism.

No stable solution

Since there have not been any major, substantive changes to American law since the Schrems-II ruling, it was also inevitable that well-known privacy advocate Max Schrems would challenge the new DPF. He expects the case to return to the CJEU by the end of 2023 or early 2024. The CJEU will then have the option of suspending the DPF while the case is pending. He expects a final decision from the CJEU in 2024 or 2025.

In early September, it was announced that a case challenging the DPF is already pending before the General Court of the European Union. It should, however, be noted that its chances of success are estimated to be low.

Only time will tell whether the DPF holds up. Given Schrems’s previous victories and the fact that no significant changes have been made, it is likely that he will win again. It would therefore be prudent to explore European alternatives or ensure that sufficient additional safeguards are in place when using American tools.

The message for companies

While waiting for the final outcome, we suggest that companies prepare for the future with these practical steps:

  • Map all tools within the company (i.e. conduct vendor due diligence).
  • Look for equivalent alternatives within Europe.
  • Implement additional measures if using US tools.

To find out more about employee data privacy

Image source: Court of Justice of the European Union