Can we use American tools again? - Appropriate protection for data transfers to the United States under the Data Privacy Framework

On 20 September 2023, the Official Journal of the European Union published the 10 July 2023 decision adopting a new Adequacy Decision for companies in the United States of America certified under the Data Privacy Framework (DPF). This again allows data sharing with American organisations with much less worry. For now, anyway.

Should you stop using American tools then?

Organisations asking this question have been in a quandary in recent years. Since July 2020, data transfers to the US had become quasi-impossible as a result of the Court of Justice’s Schrems-II ruling. This invalidated the then EU-US Privacy Shield and imposed far-reaching obligations on companies wishing to use American tools (see our previous newsflash). Briefly, the reason lay in the lack of an adequate level of personal data protection in the US.

Many American companies were certified under this Privacy Shield, which made it very easy to engage in data exchange. In fact, data exchange outside the European Economic Area (EU + Iceland, Norway and Liechtenstein) requires a transfer mechanism. Thus, the adequacy decision is a mechanism by which the European Commission indicates that a particular country provides adequate safeguards for the protection of personal data. For the US, this was conditional on the American company being certified under the Privacy Shield.

Because the Privacy Shield was declared invalid, companies had to look for other transfer mechanisms to transfer personal data to the US. Most companies found those in the reworked Standard Contractual Clauses (SCCs) approved by the European Commission. However, according to the ECJ, these SCCs alone were not sufficient: companies had to examine whether supplementary measures were appropriate as a function of an in-depth analysis (so-called Data Transfer Impact Assessment or DTIA). These included measures such as encryption, anonymisation and pseudonymisation. Only once sufficient measures had been taken so that the level of protection could be guaranteed was a company then finally allowed to use American tools such as Google Analytics and Mailchimp. In practice, these measures were often very inefficient or far too expensive, which led to European alternatives being adopted more quickly.

Time to return to carefree data sharing with the United States

A good two years following the Schrems-II ruling, American President Joe Biden and European Commission President Ursula von der Leyen suddenly reached an agreement. This agreement was sealed in a presidential Executive Order. Hence, a successor to the Privacy Shield called the Data Privacy Framework came next. American companies can certify under it and thus fall within the scope of the adequacy act. The transition was extremely easy for companies already certified under the Privacy Shield in the past.

The main consequence of this adequacy decision is that it is now much easier to use American tools again. Because for organisations certified under the DPF, you no longer have to close SCCs and take additional measures. It also becomes much simpler for companies that are not certified under the DPF. You will still have to close SCCs or use another transfer mechanism, but you will no longer have to take far-reaching additional measures in many cases. The European Commission clarified in a Q&A that the measures taken by the US cover all transfers to the US, regardless of the transfer mechanism.

No stable solution

Since there have not, per se, been any conclusive substantive changes to American law since the Schrems-II ruling, it was also inevitable that well-known privacy advocate Max Schrems would challenge the new DPF. He expects the case to return to the ECJ by the end of 2023, early 2024. The ECJ will then have the option to suspend the DPF during the time of the proceedings. He expects the final decision of the ECJ in 2024 or 2025.

In early September, it was announced that a case against the DPF is already pending before the General Court (of the European Union). It should right away be noted that the chances of success are estimated to be low.

 Only time will tell whether the DPF holds up. Given Schrems’ previous victories and the fact that essentially no significant changes have been made, it is likely that he will win another case. That is why you should explore European alternatives or take sufficient additional safeguards when using American tools.

Looking for alternatives

While waiting for the final outcome, you can already prepare for the future with these steps:

• Map all tools within the company (vendor due diligence).
• Look for equivalent alternatives within Europe.
• Implement additional measures at your US tools.