In 2020, the Court of Justice of the European Union annulled by the Schrems II judgment the Commission’s adequacy decision on the level of protection provided by the EU-US Privacy Shield. On the basis of this shield, it was possible to transfer personal data to the United States to certain companies. The Court in this case found that the model chosen by the Commission did not ensure a sufficient level of protection for personal data transferred to the USA, since US authorities could access and process such data for national security purposes without adequate safeguards and limitations. Since the adoption of this decision, there has not existed from a legal perspective a simple model on the basis of which such transfers of personal data to the USA could legally take place (although the practice, particularly of multinational companies, has not changed much in this area).
On 10 July 2023, the European Commission thus came forward with its third attempt to create a legal mechanism for transferring personal data from the EU to the USA. This is to be done through the so-called EU-US Data Privacy Framework, which was established by a decision of the European Commission on adequacy. This was adopted after an assessment of the US legal system and practice in the field of data protection, following consultation with the European Data Protection Board and the governments of Member States.
The concept is again based on the existence of a list of certified US companies that will be authorised to process personal data from the EU, whereby these companies will have to comply with certain standards in this area. The said list will be published and continuously updated by the U.S. Department of Commerce. US companies will be able to act both as controllers of personal data and as processors of personal data. Personal data of employees are then subject to special regulation.
The actual transfer of personal data to the USA is to be accompanied by appropriate safeguards for the protection of personal data, which will ensure that data subjects from the EU will have similar rights vis-à-vis US companies to those arising for them under the GDPR. Expressly mentioned are the right to information, the right of access, rectification, erasure or restriction of processing of their personal data. Data subjects should also have at their disposal remedies and the right to judicial protection in the event of violation of their rights by the relevant authorities in the USA. However, it will certainly take some time before the entire system becomes operational in practice and US companies obtain the necessary certification.
The above-mentioned adequacy decision is not permanent and may be suspended or annulled by the European Commission if it comes to light that the level of protection of personal data in the USA is no longer sufficient. Likewise, a further decision of the CJEU aimed at limiting or abolishing the possibility of transferring personal data to the United States cannot be ruled out in the future, since the degree of legislative and factual protection of personal data in the United States is objectively lower than is the case within the European Union. However, at least in the medium term, it can be assumed that the above-mentioned model should be usable in practice.
Josef Aujezdský
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal newsletter No. 07/2023 intended for members of this association.
This text was translated from Czech to English using an AI translator.