In July 2020, the Court of Justice of the European Union issued a landmark ruling: Schrems II. The court ruled that data transfers from the EU to the US were not sufficiently secure under the existing arrangement between the two parties. it will be called so Privacy Shield It did not provide adequate guarantees of data protection in force at the time. This is not the first time the court has decided this: in 2015 the court ruled in a judgment Schrems I Although Safe harbor provision Not enough.
A sufficient conclusion
After the Schrems II ruling, there is no privacy arrangement between the US and the EU. That means the data flow between the two became more complex. It changed on 10 July 2023: to be called the European Commission A sufficient conclusion (adequate result). An adequacy decision means that the Commission considers that there are sufficient safeguards to exchange data with a country or territory. The United States now joins a relatively small number of countries and territories for which adequate decision has been made; Otherwise, adequate decisions have been made only for Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Man, Japan, Jersey, New Zealand, United Kingdom, Uruguay, South Korea and Switzerland.
Why is America safe now?
In Schrems II, the Court concluded that European personal data could not be stored sufficiently securely in the United States. For example, US security services such as the CIA, NSA and FBI have virtually no controls and guarantees, data is requested by the government very coarsely (in bulk), and European citizens cannot go to US courts. With a complaint about this data processing. The court also found that EU judges cannot go to US courts. Under the privacy shield, an ombudsman could be accessed, but the court did not think this was sufficient: he could not interfere with the security services and reported directly to the Secretary of State (Foreign Affairs). Read more about this judgment in this blog.
According to the European Commission, these objections have now been resolved, so an adequate decision can be issued. The European Union and the United States have EU-US Data Privacy Framework set up. Organizations can commit to this framework, after which they must comply with privacy guarantees. For example, organizations must delete personal data for the purpose for which it was collected, and guarantee continuity of security when personal data is shared with third parties.
The framework also places restrictions on what government agencies like the NSA can see. Access to European data is now limited to what is necessary and proportionate to protect US national security.
The Data Protection Review Tribunal was established to address the issue of going to court. This court can independently hear and resolve complaints and take corrective action.
Will there be a Schrems III?
Does this white smoke mean that data flows between the EU and the US are definitively allowed? In the long run, this is doubtful. Max Schrems, the complainant in the aforementioned high-profile cases, has already announced a critical view of the data privacy framework. A Schrems III is therefore not ruled out. Ultimately, US security services have (very) broad powers to regulate privacy. It remains to be seen whether the framework adequately restricts these powers. There is a high possibility that the court will give a verdict on this soon.Does your company transfer data to the US? Or are you curious about whether your company is compliant with the latest privacy rules? Please feel free to contact us, or our diverse privacy team members. We are happy to help with all your queries.