Background: Reaction to Schrems II judgment

The EU Commission has taken a groundbreaking decision on the EU-US Data Privacy Framework, which once again enables data transfers to the USA in a legally secure manner. This step comes after three years of uncertainty following the Schrems II ruling of the European Court of Justice (ECJ). In the ruling, the previous Privacy Shield Framework was declared invalid as it did not meet the minimum standards of the rule of law and the mass surveillance by US intelligence services constituted a violation of fundamental rights.

EU Commission decision: free flow of data to self-certified companies

A two-tier legal protection mechanism has been introduced in the new EU-US Data Privacy Framework, which enables citizens to take legal action against violations of the law in connection with surveillance by US intelligence services. A quasi-judicial "Data Protection Review Court" decides on these complaints. As a result, the level of data protection in the US is now considered equivalent to that in the EU, provided that US companies have self-certified under the EU-US Data Privacy Framework.

EU Commission decision: free flow of data to self-certified companies

As a result of this improvement in US intelligence law, the Commission now considers the US level of data protection to be equivalent to that of the EU if US companies have self-certified themselves in accordance with the EU-US Data Privacy Framework. It has therefore issued an adequacy decision (Art. 45 GDPR), according to which personal data can be transferred to self-certified US companies without further ado.

Self-certification of the US company required

The EU-US Data Privacy Framework contains certain principles for this self-certification of US companies, which are based on European data protection law. These are necessary because the USA does not have a generally applicable comprehensive data protection law.

Self-certification takes place by registering the US company on a website of the U.S. Department of Commerce for a registration fee. As of now, the approximately 2,600 Privacy Shield-certified US companies are also considered to be Data Privacy Framework self-certified. These include all major US cloud providers, SaaS providers and IT service providers.

A Schrems III decision is on the horizon

It remains to be seen how the situation will develop. The issue of EU-US data protection remains a challenge in data protection law, but the current decision by the EU Commission is an important step towards legal certainty following the Schrems II ruling.

You can access our detailed client information on this topic via this link.