1. Overview – from “Safe Harbor” to today
The handling of personal data (Art. 4 No. 1 GDPR) within the EU is regulated by the GDPR, which guarantees a standardised level of protection. However, problems can arise when personal data is transferred to countries outside the EU, so-called “Non-EU countries”. Outside the EU, the territorial scope of the GDPR ends and there may be a risk of a deterioration in the protection of the transferred personal data. It therefore becomes more difficult for companies to organise data traffic in a legally compliant manner if points of contact with Non-EU countries arise during data processing. For example, companies will have to carry out special risk and security analyses.
The GDPR provides for a simplification option for data transfers to Non-EU countries. According to Art. 45 para. 1 GDPR, the transfer of data to Non-EU countries is permitted without further authorisation if the EU Commission has decided that the respective Non-EU country has an adequate level of protection. Such decisions are called adequacy decisions.
Such an adequacy decision was adopted on 10 July 2023 with regard to the USA as a Non-EU country. This was triggered by the signing of an Executive Order by the United States, which stipulated binding guarantees with regard to data privacy. The EU-US Data Privacy Framework is intended to end three years of uncertainty caused by the so-called “Schrems II judgement” of the ECJ in 2016, which overturned its predecessor, the “Privacy Shield” (2015). This meant that the “Privacy Shield” suffered the same fate as its predecessor “Safe Harbor” (2000), which came to an end with the “Schrems I judgement”.
2. The Schrems decisions
The “Schrems decisions” ultimately led to the new EU-US Data Privacy Framework, as they overturned its two predecessors. These are decisions of the ECJ by way of a referral procedure, which can be traced back to the endeavours of the Austrian lawyer Maximilian Schrems against data processing at Facebook Ireland Limited.
a.) Schrems-I (ECJ (Grand Chamber), judgement of 6 October 2015 – C-362/14; NJW 2015, 3151)
The first of the two decisions dates back to 2015 and overturned the “Safe Harbour” decision from 2000, which had previously applied between the USA and the EU, on the grounds that the level of data privacy was inadequate. As the GDPR did not yet exist at that time, the Court’s standard of review focussed on Articles 7, 8 and 47 of the CFR Charter. The points criticised by the ECJ related in particular to the fact that only certified companies were bound by “Safe Harbor” and that data privacy concerns were in principle secondary if national security or the public interest required this.
For example, it states in decision reason 87:
“In view of its general nature, the exception in paragraph 4 of Annex I to Decision 2000/520 therefore makes it possible to interfere with the fundamental rights of individuals whose personal data are or may be transferred from the Union to the United States on the basis of requirements of national security, public interest or United States law. In order to establish the existence of an interference with the fundamental right to privacy, it does not matter whether the privacy information concerned is of a sensitive nature or whether the persons concerned may have suffered detriment as a result of the interference (ECJ, ECLI:EU:C:2014:238 = NJW 2014, 2169 = EuZW 2014, 459 para. 33 with further references – Digital Rights Ireland and others).”
And in ground 89 of the decision:
“In addition, Decision 2000/520 does not contain any finding on the existence of effective judicial protection against such interference.”
The court concluded “that Decision 2000/520 is invalid.” (ground 106).
b.) Schrems II (ECJ judgement of 16 July 2020 – C-311/18, GRUR-RS 2020, 16082)
The Schrems II decision of 2020, which found the Commission’s “Privacy Shield” decision following “Safe Harbor” to be invalid, also went in a similar direction. The points of criticism in this decision were the use of surveillance programmes by US intelligence services and inadequate legal remedies for citizens of the European Union.
For example, reason 181 of the decision states:
“According to the findings in the DSS Decision, the surveillance programmes based on Section 702 of FISA must indeed be carried out in compliance with the requirements following from PPD-28. While the Commission emphasised in recitals 69 and 77 of the DSS Decision that such requirements are binding on the US intelligence services, the US government conceded in response to a question from the Court that PPD-28 does not confer any rights on data subjects that can be enforced in court against the US authorities. Consequently, the PPD-28 is not capable of ensuring a level of protection equivalent in substance to that resulting from the Charter, contrary to Article 45(2)(a) of the GDPR, according to which the determination of that level depends, inter alia, on whether the individuals whose data have been transferred to the third country in question have effective and enforceable rights.”
And in the grounds of the decision 184 – 186:
“Consequently, neither Section 702 of FISA nor E.O. 12333 in conjunction with PPD-28 can be considered to meet the minimum requirements existing in Union law under the principle of proportionality, so that the surveillance programmes based on those provisions cannot be considered to be limited to what is strictly necessary.
In those circumstances, the restrictions on the protection of personal data, as assessed by the Commission in the DSS Decision, which result from the fact that, under United States law, the American authorities may access and use such data transferred from the European Union to the United States, are not such as to fulfil requirements equivalent in substance to those existing in EU law under the second sentence of Article 52(1) of the Charter.
Secondly, as regards Article 47 of the Charter, which is also decisive for the level of protection required in the Union and compliance with which must be established by the Commission before it adopts an adequacy decision within the meaning of Article 45(1) of the GDPR, it should be noted that, under Article 47(1) of the Charter, any person whose rights or freedoms guaranteed by Union law have been infringed has the right to seek an effective remedy before a tribunal in accordance with the conditions laid down in that Article. Under Article 47(2), everyone has the right to have his or her case heard by an independent and impartial tribunal.”
3. Data protection framework of 10/07/2023
The Data Privacy Framework of 10 July 2023 is intended to meet the complaints of the ECJ, in particular from the “Schrems II” decision. The new agreement was preceded by an Executive Order issued by US President Biden on 7 October 2022, in which protective measures to safeguard privacy and data protection with regard to the activities of intelligence services were enshrined.
The Data Privacy Framework now provides for binding guarantees that the interference of US authorities with personal data will be limited in terms of proportionality and necessity and that EU citizens will have the opportunity to lodge a complaint against the processing of their personal data, which will first be examined by the Civil Liberties Protection Officer of the US intelligence services and, if contested, subsequently by an independent court. In addition, the activities of the intelligence services are to be monitored more closely.
4. Practical significance for companies
The certification procedure from “Privacy Shield” will be retained, which means that US companies can certify their compliance with the Data Privacy Framework by means of a declaration of commitment.
The Data Privacy Framework will then apply between certified companies and EU companies and no special authorisation, standard data protection clauses or other guarantees will be required for data transfers.
European companies must therefore check whether they are authorised to rely on the Data Privacy Framework, in particular whether the respective US company is certified. A corresponding list is available on the website of the US Department of Commerce, which also monitors compliance with the agreement on an annual basis.
If a company is not certified, standard clauses (these are guarantees within the meaning of Art. 46 GDPR) and a correspondingly documented assessment are still required. In doing so, companies must prepare a so-called “TIA” (Transfer Impact Assessment), which analyses the respective security level of the third country.
Particular pitfalls can arise in the area of external services such as Google. Here, companies are required to check exactly which specific Google services are used and whether their respective operators are certified. In certain constellations, user consent may also be required for specific data processing.
5. Outlook
It remains to be seen whether the EU-US Data Privacy Framework is here to stay. One of the main criticisms is that certification can be carried out without any checks, similar to the Privacy Shield. There are no legally guaranteed control and verification mechanisms on the part of data subjects or data senders from the EU for certified data importers and processors in the USA. Mr Schrems has already announced his intention to take action against this EU Commission decision. It can therefore not be ruled out that the ECJ will issue a “Schrems III decision” in the foreseeable future.