On July 10, 2023, the European Commission made the long-awaited adequacy decision. According to the Trans-Atlantic Data Privacy Framework ("TADPF"), companies can now base data transfers to the USA on this decision. Currently, the TADPF serves as the new legal basis for data transfers to the USA under Article 45 of the General Data Protection Regulation (GDPR).
What has happened so far...
The "predecessor" of the TADPF, "Safe Harbor" from 2000, was invalidated by the European Court of Justice (ECJ) in 2015. In 2016, "Privacy Shield" was introduced as a replacement, but it was also invalidated by the ECJ in 2020. On both occasions, the ECJ cited the lack of sufficient legal protection for EU citizens' data and the unrestricted access by US authorities to personal data as the main reasons for the invalidation. The TADPF, as the successor to these two "predecessor" adequacy decisions, is now intended to ensure an adequate level of data protection for EU citizens whose data is processed in the USA.
Guarantees by the USA
The USA assured the EU, among other things, that access to personal data of EU citizens by US authorities would be more restricted. Access would only occur under specific conditions, particularly taking into account the principle of proportionality. Additionally, legal remedies were provided for EU citizens in case of alleged unlawful data processing. This includes a two-tiered complaint and redress mechanism. The implementation of these (and other guarantees) formed the basis for the adoption of the TADPF.
How does this affect companies?
Since the invalidation of "Privacy Shield" in 2020, businesses were compelled to enter into Standard Contractual Clauses (SCC) as a result of their engagement with US service providers. The European Court of Justice (ECJ) also ruled, in the same decision that invalidated "Privacy Shield," that even when using SCCs, additional measures must be taken to ensure an adequate level of data protection. For instance, the Austrian Data Protection Authority determined in the decisions regarding Google Analytics I and II that SCCs, despite the implementation of additional measures, were not sufficiently effective.
Starting July 10, 2023, data transfers to US companies certified under the Trans-Atlantic Data Privacy Framework (TADPF) should no longer require guarantees such as SCCs. This remains the case until the ECJ revokes the adequacy decision.
Conclusion
The TADPF initially provides relief for companies that conduct data transfers to the USA. However, the European Center for Digital Rights (NOYB) has already announced that there is a high likelihood that the European Court of Justice (ECJ) will also invalidate this adequacy decision.
For any inquiries, the KWR Data Protection team is available to assist.